From 140b64fb562fb08cecf93ca6bec99822f7d556fb Mon Sep 17 00:00:00 2001
From: Emmanuel Hocdet <manu@gandi.net>
Date: Thu, 24 Oct 2019 18:33:10 +0200
Subject: [PATCH] BUG/MINOR: ssl: fix SSL_CTX_set1_chain compatibility for
 openssl < 1.0.2

Commit 1c65fdd5 "MINOR: ssl: add extra chain compatibility" really implement
SSL_CTX_set0_chain. Since ckch can be used to init more than one ctx with
openssl < 1.0.2 (commit 89f58073 for X509_chain_up_ref compatibility),
SSL_CTX_set1_chain compatibility is required.

This patch must be backported to 2.1.
---
 src/ssl_sock.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 8512f05d0..e36c03e63 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -3552,11 +3552,14 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_an
 #else
 	{ /* legacy compat (< openssl 1.0.2) */
 		X509 *ca;
-		while ((ca = sk_X509_shift(ckch->chain)))
+		STACK_OF(X509) *chain;
+		chain = X509_chain_up_ref(ckch->chain);
+		while ((ca = sk_X509_shift(chain)))
 			if (!SSL_CTX_add_extra_chain_cert(ctx, ca)) {
 				memprintf(err, "%sunable to load chain certificate into SSL Context '%s'.\n",
 					  err && *err ? *err : "", path);
 				X509_free(ca);
+				sk_X509_pop_free(chain, X509_free);
 				errcode |= ERR_ALERT | ERR_FATAL;
 				goto end;
 			}