load_pem_x509_certificate errors out if data contains multiple PEM certificates

[felixfontein]

The change in #6365 has the unfortunate side-effect that if one calls load_pem_x509_certificate() on a bytes string which has multiple PEM certificates concatenated, it returns an error (Valid PEM but multiple BEGIN CERTIFICATE/END CERTIFICATE delimiters.). This is a breaking change, this worked fine with 35.0.0 and before.

This usually happens when trying to load the certificate from certificate + chain files that are often used to configure TLS for webservers (see for example https://nginx.org/en/docs/http/configuring_https_servers.html#chains).

If this change is kept in its current form, it really needs to be documented as a breaking change in the changelog.

[reaperhulk]

Thanks for catching this. I think we probably need to handle this and just load the first one like OpenSSL does even though that is itself a somewhat odd behavior.

[felixfontein]

Would it make sense ot make this behavior configurable, i.e. pass a parameter to the loading function which allows to making this an error (with a default for backwards compatibility)?