> On Nov 4, 2017, at 8:12 PM, Jeremy Harris <jgh@xxxxxxxxxxx> wrote: > >>> After SSL_accept(), call SSL_get_certificate() to see what >>> cert was presented. >> >> The negotiated certificate is only populated in the server SSL >> handle when you've registered a TLS status callback. See >> >> SSL_CTX_set_tlsext_status_cb(3) >> >>> What should I be doing different? >> >> For now, instantiate the callback. > > It doesn't appear to make any difference :-( Looking more closely, the server might actually need to have received a status request *and* for there to a callback: https://github.com/openssl/openssl/blob/OpenSSL_1_0_2-stable/ssl/t1_lib.c#L3174 The assignment of the current keypair happens on: https://github.com/openssl/openssl/blob/OpenSSL_1_0_2-stable/ssl/t1_lib.c#L3193 I think we should probably do: if (certpkey != NULL) { /* * Set current certificate to one we will use so SSL_get_certificate * et al can pick it up. */ s->cert->key = certpkey; Unconditionally, at the top of the function, even if there's no callback and no status request... -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
