From 5aae4752517914da90ccadf3f1ba1001c8205c2f Mon Sep 17 00:00:00 2001
From: Emmanuel Hocdet <manu@gandi.net>
Date: Mon, 3 Dec 2018 18:07:44 +0100
Subject: [PATCH 3/6] MINOR: ssl: SSL_CTX_set1_chain compatibility

cert_key_and_chain handling is now outside openssl 1.0.2 #if: the
code must be libssl compatible. Implement SSL_CTX_set1_chain for
libssl without this function.
---
 src/ssl_sock.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 7bf1eeef..d0ce2af2 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -2901,11 +2901,27 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_an
 	}
 
 	/* Load all certs in the ckch into the ctx_chain for the ssl_ctx */
+#ifdef SSL_CTX_set1_chain
         if (!SSL_CTX_set1_chain(ctx, ckch->chain)) {
 		memprintf(err, "%sunable to load chain certificate into SSL Context '%s'. Make sure you are linking against Openssl >= 1.0.2.\n",
 			  err && *err ? *err : "", path);
 		return 1;
 	}
+#else
+	{ /* SSL_CTX_set1_chain compat */
+		X509 *ca;
+		STACK_OF(X509) *chain = X509_chain_up_ref(ckch->chain);
+		while ((ca = sk_X509_shift(chain)))
+			if (!SSL_CTX_add_extra_chain_cert(ctx, ca)) {
+				memprintf(err, "%sunable to load chain certificate into SSL Context '%s'.\n",
+					  err && *err ? *err : "", path);
+				X509_free(ca);
+				sk_X509_pop_free(chain, X509_free);
+				return 1;
+			}
+		sk_X509_pop_free(chain, X509_free);
+	}
+#endif
 
 	if (SSL_CTX_check_private_key(ctx) <= 0) {
 		memprintf(err, "%sinconsistencies between private key and certificate loaded from PEM file '%s'.\n",
-- 
2.11.0

