# HG changeset patch # User Maxim Dounin # Date 1427067755 -10800 # Node ID 4e3f87c02cb42e0ab6c13b4aac4933d30a16cb1b # Parent a84267233877fb864bac1276494df31b33d38ca7 SSL: use of SSL_MODE_NO_AUTO_CHAIN. The SSL_MODE_NO_AUTO_CHAIN mode prevents OpenSSL from automatically building a certificate chain on the fly if there is no certificate chain explicitly provided. Before this change, certificates provided via the ssl_client_certificate and ssl_trusted_certificate directives were used by OpenSSL to automatically build certificate chains, resulting in unexpected (and in some cases unneeded) chains being sent to clients. diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c --- a/src/event/ngx_event_openssl.c +++ b/src/event/ngx_event_openssl.c @@ -285,6 +285,10 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_ SSL_CTX_set_mode(ssl->ctx, SSL_MODE_RELEASE_BUFFERS); #endif +#ifdef SSL_MODE_NO_AUTO_CHAIN + SSL_CTX_set_mode(ssl->ctx, SSL_MODE_NO_AUTO_CHAIN); +#endif + SSL_CTX_set_read_ahead(ssl->ctx, 1); SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback);