Replace reference to 'extra_certs' for BoringSSL/OpenSSL 1.0.2 and later #74

byllyfish opened this Issue Jul 11, 2015 · 1 comment


None yet
2 participants

ASIO no longer compiles when using the latest BoringSSL because ASIO accesses the extra_certs member directly in context::use_certificate_chain. To clear the certificate chain, OpenSSL 1.0.2 added a new API you can use: SSL_CTX_clear_chain_certs

Here is a patch for context.ipp:

diff --git a/asio/include/asio/ssl/impl/context.ipp b/asio/include/asio/ssl/impl/context.ipp
index 08705e7..77da84e 100644
--- a/asio/include/asio/ssl/impl/context.ipp
+++ b/asio/include/asio/ssl/impl/context.ipp
@@ -539,11 +539,15 @@ asio::error_code context::use_certificate_chain(
       return ec;

+#if (OPENSSL_VERSION_NUMBER >= 0x10002000L)
+    ::SSL_CTX_clear_chain_certs(handle_);
     if (handle_->extra_certs)
       ::sk_X509_pop_free(handle_->extra_certs, X509_free);
       handle_->extra_certs = 0;
+#endif // (OPENSSL_VERSION_NUMBER >= 0x10002000L)

     while (X509* cacert = ::PEM_read_bio_X509(bio.p, 0,

@BenPope BenPope referenced this issue in nghttp2/nghttp2 Sep 29, 2015


Support BoringSSL #373

@mlt mlt referenced this issue in PurpleI2P/i2pd Nov 11, 2015


openssl branch #287


This comment has been minimized.

Show comment
Hide comment

chriskohlhoff commented Dec 3, 2015

Fixed in 6c70257.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment