crypto: use SSL_CTX_clear_extra_chain_certs.

agl · Myles Borins · commit ab5cb0539b69 · 2016-02-18T08:27:55.000-08:00
The SSL_CTX_clear_extra_chain_certs function clears the extra certificates associated with an SSL_CTX without reaching into the SSL_CTX structure itself (which will become impossible in OpenSSL 1.1.0). The underlying implementation in OpenSSL[1] is the same what the code was doing and OpenSSL has provided this function since 0.9.8 so this change should be fully compatible. [1] https://github.com/nodejs/node/blob/master/deps/openssl/openssl/ssl/s3_lib.c#L3899 PR-URL: #4919 Reviewed-By: Fedor Indutny <fedor@indutny.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
diff --git a/src/node_crypto.cc b/src/node_crypto.cc
@@ -532,10 +532,7 @@ int SSL_CTX_use_certificate_chain(SSL_CTX* ctx,
     // the CA certificates.
     int r;
 
-    if (ctx->extra_certs != nullptr) {
-      sk_X509_pop_free(ctx->extra_certs, X509_free);
-      ctx->extra_certs = nullptr;
-    }
+    SSL_CTX_clear_extra_chain_certs(ctx);
 
     for (int i = 0; i < sk_X509_num(extra_certs); i++) {
       X509* ca = sk_X509_value(extra_certs, i);
