|
We start with a context that I load a dhparam file to (so I can
take a DH connection) along with an edh curve, then set an
acceptable cipher list for it to use. Assume I next manually load both the CA store (using X509_STORE_add_cert as many times as necessary to load the intermediate components and the root of trust) and then load the cert/key pair (using SSL_CTX_use_certificate/SSL_CTX_use_PrivateKey) I then create some number of SSLs from that context to perform communication with and all is well. Now I want to rekey that context for some reason. It appears that while I can add things to the CA chain trying to load the same component that is already in there returns a failure (somewhat-expected; that is, it does not overwrite but rather adds, and if you try to add what's already there you get an error back) and there's no call to CLEAR the certificate validation chain -- if I want to *replace* the validation chain I have to destroy the context and initialize a new one from scratch. It appears, however, that I *can* load over the top of a certificate and private key of the same type and that's acceptable. In other words, if I have an RSA key/cert pair in the context and I load another one, the first one is replaced. This *looks* to be working ok as far as I can tell and it doesn't appear to leak memory doing that but it's not explicitly stated that this is considered acceptable (rather than destroying and re-creating the context.) Is my understanding correct? |
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
