From c3d5b2b1185fea1b5150569b538e0b02944f14b4 Mon Sep 17 00:00:00 2001
From: Adam Langley <agl@google.com>
Date: Wed, 27 Jan 2016 12:28:41 -0800
Subject: [PATCH] crypto: use SSL_CTX_clear_extra_chain_certs.

The SSL_CTX_clear_extra_chain_certs function clears the extra
certificates associated with an SSL_CTX without reaching into the
SSL_CTX structure itself (which will become impossible in OpenSSL
1.1.0). The underlying implementation in OpenSSL[1] is the same what the
code was doing and OpenSSL has provided this function since 0.9.8 so
this change should be fully compatible.

[1] https://github.com/nodejs/node/blob/master/deps/openssl/openssl/ssl/s3_lib.c#L3899

PR-URL: https://github.com/nodejs/node/pull/4919
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
---
 src/node_crypto.cc | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/src/node_crypto.cc b/src/node_crypto.cc
index 8af318791c..2fb6e887d1 100644
--- a/src/node_crypto.cc
+++ b/src/node_crypto.cc
@@ -521,10 +521,7 @@ int SSL_CTX_use_certificate_chain(SSL_CTX* ctx,
     // the CA certificates.
     int r;
 
-    if (ctx->extra_certs != nullptr) {
-      sk_X509_pop_free(ctx->extra_certs, X509_free);
-      ctx->extra_certs = nullptr;
-    }
+    SSL_CTX_clear_extra_chain_certs(ctx);
 
     for (int i = 0; i < sk_X509_num(extra_certs); i++) {
       X509* ca = sk_X509_value(extra_certs, i);