From 7235c9765e471de1d121b07fcc3aff01f7551550 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Antti=20Sepp=C3=A4l=C3=A4?= <a.seppala@gmail.com>
Date: Sun, 28 Jan 2018 16:16:29 +0200
Subject: [PATCH] C websockify: Load entire certificate chain

Instead of single certificate in one file it is sometimes customary to
chain multiple certificates into the same file. This is common practice
for CAs like letsencrypt that are providing intermediate certificates.

This patch switches loading of only one certificate to loading whole chain
of certificates.

The effects can be seen with e.g. the following command:

openssl s_client -showcerts -connect websockify-hostname:8080

Before the change the verify fails:

Certificate chain
 0 s:/CN=websockify-hostname
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

After the change the verify passes:

Certificate chain
 0 s:/CN=websockify-hostname
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
 other/websocket.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/other/websocket.c b/other/websocket.c
index 2c9350f..5257ba0 100644
--- a/other/websocket.c
+++ b/other/websocket.c
@@ -169,8 +169,7 @@ ws_ctx_t *ws_socket_ssl(ws_ctx_t *ctx, int socket, char * certfile, char * keyfi
         fatal(msg);
     }
 
-    if (SSL_CTX_use_certificate_file(ctx->ssl_ctx, certfile,
-                                     SSL_FILETYPE_PEM) <= 0) {
+    if (SSL_CTX_use_certificate_chain_file(ctx->ssl_ctx, certfile) <= 0) {
         sprintf(msg, "Unable to load certificate file %s\n", certfile);
         fatal(msg);
     }