Blob Blame History Raw
diff --git a/sendmail/conf.c b/sendmail/conf.c
index 777e05e..e693ed0 100644
--- a/sendmail/conf.c
+++ b/sendmail/conf.c
@@ -6504,6 +6504,14 @@ char	*FFRCompileOptions[] =
 	/* More STARTTLS options, e.g., secondary certs. */
 	"_FFR_TLS_1",
 #endif /* _FFR_TLS_1 */
+#if _FFR_TLS_USE_CERTIFICATE_CHAIN_FILE
+	/*
+	**  Use SSL_CTX_use_certificate_chain_file()
+	**  instead of SSL_CTX_use_certificate_file()
+	*/
+
+	"_FFR_TLS_USE_CERTIFICATE_CHAIN_FILE",
+#endif /* _FFR_TLS_USE_CERTIFICATE_CHAIN_FILE */
 #if _FFR_TRUSTED_QF
 	/*
 	**  If we don't own the file mark it as unsafe.
diff --git a/sendmail/tls.c b/sendmail/tls.c
index 72da987..6707a35 100644
--- a/sendmail/tls.c
+++ b/sendmail/tls.c
@@ -860,17 +860,25 @@ inittls(ctx, req, options, srv, certfile, keyfile, cacertpath, cacertfile, dhpar
 		if (bitset(TLS_I_USE_KEY, req))
 			return false;
 	}
+#if _FFR_TLS_USE_CERTIFICATE_CHAIN_FILE
+# define SSL_CTX_use_cert(ssl_ctx, certfile) \
+	SSL_CTX_use_certificate_chain_file(ssl_ctx, certfile)
+# define SSL_CTX_USE_CERT "SSL_CTX_use_certificate_chain_file"
+#else
+# define SSL_CTX_use_cert(ssl_ctx, certfile) \
+	SSL_CTX_use_certificate_file(ssl_ctx, certfile, SSL_FILETYPE_PEM)
+# define SSL_CTX_USE_CERT "SSL_CTX_use_certificate_file"
+#endif
 
 	/* get the certificate file */
 	if (bitset(TLS_S_CERT_OK, status) &&
-	    SSL_CTX_use_certificate_file(*ctx, certfile,
-					 SSL_FILETYPE_PEM) <= 0)
+	    SSL_CTX_use_cert(*ctx, certfile) <= 0)
 	{
 		if (LogLevel > 7)
 		{
 			sm_syslog(LOG_WARNING, NOQID,
-				  "STARTTLS=%s, error: SSL_CTX_use_certificate_file(%s) failed",
-				  who, certfile);
+				  "STARTTLS=%s, error: %s(%s) failed",
+				  who, SSL_CTX_USE_CERT, certfile);
 			if (LogLevel > 9)
 				tlslogerr(LOG_WARNING, who);
 		}
@@ -914,13 +922,13 @@ inittls(ctx, req, options, srv, certfile, keyfile, cacertpath, cacertfile, dhpar
 
 	/* get the certificate file */
 	if (bitset(TLS_S_CERT2_OK, status) &&
-	    SSL_CTX_use_certificate_file(*ctx, cf2, SSL_FILETYPE_PEM) <= 0)
+	    SSL_CTX_use_cert(*ctx, cf2) <= 0)
 	{
 		if (LogLevel > 7)
 		{
 			sm_syslog(LOG_WARNING, NOQID,
-				  "STARTTLS=%s, error: SSL_CTX_use_certificate_file(%s) failed",
-				  who, cf2);
+				  "STARTTLS=%s, error: %s(%s) failed",
+				  who, SSL_CTX_USE_CERT, cf2);
 			if (LogLevel > 9)
 				tlslogerr(LOG_WARNING, who);
 		}