diff --git a/sendmail/conf.c b/sendmail/conf.c
index 777e05e..e693ed0 100644
--- a/sendmail/conf.c
+++ b/sendmail/conf.c
@@ -6504,6 +6504,14 @@ char *FFRCompileOptions[] =
/* More STARTTLS options, e.g., secondary certs. */
"_FFR_TLS_1",
#endif /* _FFR_TLS_1 */
+#if _FFR_TLS_USE_CERTIFICATE_CHAIN_FILE
+ /*
+ ** Use SSL_CTX_use_certificate_chain_file()
+ ** instead of SSL_CTX_use_certificate_file()
+ */
+
+ "_FFR_TLS_USE_CERTIFICATE_CHAIN_FILE",
+#endif /* _FFR_TLS_USE_CERTIFICATE_CHAIN_FILE */
#if _FFR_TRUSTED_QF
/*
** If we don't own the file mark it as unsafe.
diff --git a/sendmail/tls.c b/sendmail/tls.c
index 72da987..6707a35 100644
--- a/sendmail/tls.c
+++ b/sendmail/tls.c
@@ -860,17 +860,25 @@ inittls(ctx, req, options, srv, certfile, keyfile, cacertpath, cacertfile, dhpar
if (bitset(TLS_I_USE_KEY, req))
return false;
}
+#if _FFR_TLS_USE_CERTIFICATE_CHAIN_FILE
+# define SSL_CTX_use_cert(ssl_ctx, certfile) \
+ SSL_CTX_use_certificate_chain_file(ssl_ctx, certfile)
+# define SSL_CTX_USE_CERT "SSL_CTX_use_certificate_chain_file"
+#else
+# define SSL_CTX_use_cert(ssl_ctx, certfile) \
+ SSL_CTX_use_certificate_file(ssl_ctx, certfile, SSL_FILETYPE_PEM)
+# define SSL_CTX_USE_CERT "SSL_CTX_use_certificate_file"
+#endif
/* get the certificate file */
if (bitset(TLS_S_CERT_OK, status) &&
- SSL_CTX_use_certificate_file(*ctx, certfile,
- SSL_FILETYPE_PEM) <= 0)
+ SSL_CTX_use_cert(*ctx, certfile) <= 0)
{
if (LogLevel > 7)
{
sm_syslog(LOG_WARNING, NOQID,
- "STARTTLS=%s, error: SSL_CTX_use_certificate_file(%s) failed",
- who, certfile);
+ "STARTTLS=%s, error: %s(%s) failed",
+ who, SSL_CTX_USE_CERT, certfile);
if (LogLevel > 9)
tlslogerr(LOG_WARNING, who);
}
@@ -914,13 +922,13 @@ inittls(ctx, req, options, srv, certfile, keyfile, cacertpath, cacertfile, dhpar
/* get the certificate file */
if (bitset(TLS_S_CERT2_OK, status) &&
- SSL_CTX_use_certificate_file(*ctx, cf2, SSL_FILETYPE_PEM) <= 0)
+ SSL_CTX_use_cert(*ctx, cf2) <= 0)
{
if (LogLevel > 7)
{
sm_syslog(LOG_WARNING, NOQID,
- "STARTTLS=%s, error: SSL_CTX_use_certificate_file(%s) failed",
- who, cf2);
+ "STARTTLS=%s, error: %s(%s) failed",
+ who, SSL_CTX_USE_CERT, cf2);
if (LogLevel > 9)
tlslogerr(LOG_WARNING, who);
}