From 75363dcb7c03f8a5a8fb2e261149292497473b1c Mon Sep 17 00:00:00 2001 From: Artem Boldariev Date: Tue, 9 Mar 2021 14:45:03 +0200 Subject: [PATCH 1/2] Load full certificate chain from a certificate chain file This commit fixes loading the certificate chain files so that the full chain could be sent to the clients which require that for verification. Before that fix only the top most certificate would be loaded from the chain and sent to clients preventing some of them to perform certificate validation (e.g. Windows 10 DoH client). --- lib/isc/tls.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/lib/isc/tls.c b/lib/isc/tls.c index 8a3f5cc41b..d15fc16b1c 100644 --- a/lib/isc/tls.c +++ b/lib/isc/tls.c @@ -311,8 +311,7 @@ isc_tlsctx_createserver(const char *keyfile, const char *certfile, EVP_PKEY_free(pkey); BN_free(bn); } else { - rv = SSL_CTX_use_certificate_file(ctx, certfile, - SSL_FILETYPE_PEM); + rv = SSL_CTX_use_certificate_chain_file(ctx, certfile); if (rv != 1) { goto ssl_error; } From c69fafdd6578db158b8922c2a1f62cb2f3cf48fe Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Fri, 12 Mar 2021 09:18:01 +0100 Subject: [PATCH 2/2] Add change entry for [#2514] --- CHANGES | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGES b/CHANGES index 4e7f398cb8..780969125d 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,7 @@ +5600. [bug] Load a certificate chain file so that the full chain is + sent to DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH) + clients that require full chain verification. [GL #2514] + 5599. [bug] Fix a crash when transferring a zone over TLS, after "named" previously skipped a master. [GL #2562]