@@ -1242,9 +1242,8 @@ static void
stream_ssl_set_ca_cert_file__(const char *file_name,
bool bootstrap, bool force)
{
- X509 **certs;
- size_t n_certs;
struct stat s;
+ STACK_OF(X509_NAME) *cert_names = NULL;
if (!update_ssl_config(&ca_cert, file_name) && !force) {
return;
@@ -1256,23 +1255,9 @@ stream_ssl_set_ca_cert_file__(const char *file_name,
"(this is a security risk)");
} else if (bootstrap && stat(file_name, &s) && errno == ENOENT) {
bootstrap_ca_cert = true;
- } else if (!read_cert_file(file_name, &certs, &n_certs)) {
- size_t i;
-
- /* Set up list of CAs that the server will accept from the client. */
- for (i = 0; i < n_certs; i++) {
- /* SSL_CTX_add_client_CA makes a copy of the relevant data. */
- if (SSL_CTX_add_client_CA(ctx, certs[i]) != 1) {
- VLOG_ERR("failed to add client certificate %"PRIuSIZE" from %s: %s",
- i, file_name,
- ERR_error_string(ERR_get_error(), NULL));
- } else {
- log_ca_cert(file_name, certs[i]);
- }
- X509_free(certs[i]);
- }
- free(certs);
+ } else if ((cert_names = SSL_load_client_CA_file(file_name) ) != NULL) {
+ SSL_CTX_set_client_CA_list(ctx, cert_names);
/* Set up CAs for OpenSSL to trust in verifying the peer's
* certificate. */
SSL_CTX_set_cert_store(ctx, X509_STORE_new());
@@ -1281,8 +1266,10 @@ stream_ssl_set_ca_cert_file__(const char *file_name,
ERR_error_string(ERR_get_error(), NULL));
return;
}
-
bootstrap_ca_cert = false;
+ } else if (cert_names == NULL) {
+ VLOG_ERR("failed to load client certificates from %s: %s",
+ file_name, ERR_error_string(ERR_get_error(), NULL));
}
ca_cert.read = true;
}