Set SSL_MODE_NO_AUTO_CHAIN by default.
In transition to removing it altogether, set SSL_MODE_NO_AUTO_CHAIN by
default. If we find some consumer was relying on it, this will allow
them to revert locally with SSL_(CTX_)clear_mode, but hopefully this was
just unused.
BUG=42
Change-Id: Iaf70a436a3324ce02e02dfb18213b6715c034ff2
Reviewed-on: https://boringssl-review.googlesource.com/12180
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 56280a6..1b0633e 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -670,8 +670,9 @@
#define SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER 0x00000002L
/* SSL_MODE_NO_AUTO_CHAIN disables automatically building a certificate chain
- * before sending certificates to the peer.
- * TODO(davidben): Remove this behavior. https://crbug.com/486295. */
+ * before sending certificates to the peer. This flag is set (and the feature
+ * disabled) by default.
+ * TODO(davidben): Remove this behavior. https://crbug.com/boringssl/42. */
#define SSL_MODE_NO_AUTO_CHAIN 0x00000008L
/* SSL_MODE_ENABLE_FALSE_START allows clients to send application data before
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 87af1a8..22baed0 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -304,6 +304,10 @@
ret->options |= SSL_OP_NO_TICKET;
}
+ /* Disable the auto-chaining feature by default. Once this has stuck without
+ * problems, the feature will be removed entirely. */
+ ret->mode = SSL_MODE_NO_AUTO_CHAIN;
+
/* Lock the SSL_CTX to the specified version, for compatibility with legacy
* uses of SSL_METHOD. */
if (!SSL_CTX_set_max_proto_version(ret, method->version) ||
