Set SSL_MODE_NO_AUTO_CHAIN by default. In transition to removing it altogether, set SSL_MODE_NO_AUTO_CHAIN by default. If we find some consumer was relying on it, this will allow them to revert locally with SSL_(CTX_)clear_mode, but hopefully this was just unused. BUG=42 Change-Id: Iaf70a436a3324ce02e02dfb18213b6715c034ff2 Reviewed-on: https://boringssl-review.googlesource.com/12180 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>

commit: a983b4c2489fe75e0655fc2984332295fd348cf6 [log] [tgz]
author: David Benjamin <davidben@google.com> Wed Nov 09 14:21:12 2016 -0500
committer: Adam Langley <agl@google.com> Wed Nov 09 19:31:38 2016 +0000
tree: 4382ecf111db420d87ffbba6ce5d916a98776b77
parent: b348897a02847f8ed23481b0fd91ebc41e8b0037 [diff] [blame]
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 87af1a8..22baed0 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c

@@ -304,6 +304,10 @@
     ret->options |= SSL_OP_NO_TICKET;
   }
 
+  /* Disable the auto-chaining feature by default. Once this has stuck without
+   * problems, the feature will be removed entirely. */
+  ret->mode = SSL_MODE_NO_AUTO_CHAIN;
+
   /* Lock the SSL_CTX to the specified version, for compatibility with legacy
    * uses of SSL_METHOD. */
   if (!SSL_CTX_set_max_proto_version(ret, method->version) ||
commit	a983b4c2489fe75e0655fc2984332295fd348cf6	[log] [tgz]
author	David Benjamin <davidben@google.com>	Wed Nov 09 14:21:12 2016 -0500
committer	Adam Langley <agl@google.com>	Wed Nov 09 19:31:38 2016 +0000
tree	4382ecf111db420d87ffbba6ce5d916a98776b77
parent	b348897a02847f8ed23481b0fd91ebc41e8b0037 [diff] [blame]