From 9e82bb6c4eeb3de07215ae72d4e21460ce0ab510 Mon Sep 17 00:00:00 2001
From: david <david@e0a8ed71-7df4-0310-8962-fdc924857419>
Date: Sat, 29 Jun 2013 22:33:56 +0000
Subject: [PATCH] Support chained certificate files with --ssl-cert.

Use the recommended SSL_CTX_use_certificate_chain_file over
SSL_CTX_use_certificate_file.
https://www.openssl.org/docs/ssl/SSL_CTX_use_certificate.html#NOTES

Patch by Greg Bailey.
http://seclists.org/nmap-dev/2013/q2/399
---
 CHANGELOG       | 3 +++
 ncat/ncat_ssl.c | 4 ++--
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index b5b6ddf3a..167aed105 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,5 +1,8 @@
 # Nmap Changelog ($Id$); -*-text-*-
 
+o [Ncat] Ncat now support chained certificates with the --ssl-cert
+  option. [Greg Bailey]
+
 o Stop parsing TCP options after reaching EOL in libnetutil. Bug reported
   by Gustavo Moreira. [Henri Doreau]
 
diff --git a/ncat/ncat_ssl.c b/ncat/ncat_ssl.c
index 518dc3ba6..cbb672f7c 100644
--- a/ncat/ncat_ssl.c
+++ b/ncat/ncat_ssl.c
@@ -173,8 +173,8 @@ SSL_CTX *setup_ssl_listen(void)
     } else {
         if (o.sslcert == NULL || o.sslkey == NULL)
             bye("The --ssl-key and --ssl-cert options must be used together.");
-        if (SSL_CTX_use_certificate_file(sslctx, o.sslcert, SSL_FILETYPE_PEM) != 1)
-            bye("SSL_CTX_use_certificate_file(): %s.", ERR_error_string(ERR_get_error(), NULL));
+        if (SSL_CTX_use_certificate_chain_file(sslctx, o.sslcert) != 1)
+            bye("SSL_CTX_use_certificate_chain_file(): %s.", ERR_error_string(ERR_get_error(), NULL));
         if (SSL_CTX_use_PrivateKey_file(sslctx, o.sslkey, SSL_FILETYPE_PEM) != 1)
             bye("SSL_CTX_use_Privatekey_file(): %s.", ERR_error_string(ERR_get_error(), NULL));
     }