On Mar 29, 2018, at 2:12 PM, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
As discussed offline, there are some side effects which makes this difficult to do whilst maintaining backwards compatibility.
The big one is that using the 1.0.2 API to do certificate chaining seems to effectively disable auto chaining, as certs are no longer taken from the top level ca_file.
If it's possible to do *either* the old method or the new one, that may be useful. Once people start using ECC certs.
The change to how chaining works between OpenSSL < 1.0.2 and >= 1.0.2 is so major I'm tempted to suggest that we have a hard dependency on 1.0.2 in the FreeRADIUS v4.0.x branch to avoid confusion.
That sounds like a good idea. There's just no reason to use a version of OpenSSL which is years out of date. Alan DeKok.