I did a 2.2 to 2.4 migration today. The old 2.2 server was using a
certificate file, which was DER encoded and the new 2.4 one didn't like it.
It seems support for DER encoded certs was removed in 2.4.8 as a side
effect of r1573360 (bckport of r1553824). The certificate in 2.2 is read
using SSL_read_X509() which tries PEM but also DER. After the change,
the OpenSSL API SSL_read_X509() is used, which only accepts PEM.
Is that problem analysis right? If so we'd need to decide, whether we
keep it as is (no one complained, so DER seems to be rare) and simply
document the change in the changelog and migration guide, or whether we
still need to support DER encoded certs.
IMHO documenting the change would be enough.
Regards,
Rainer
