On 12 July 2018 at 18:49, Daurnimator <quae@xxxxxxxxxxxxxxx> wrote: > When looking into https://github.com/wahern/luaossl/issues/140 I was > surprised to learn that an SSL_CTX* (and SSL*) does not use many of > the X509_STORE members. > > e.g. a store has a X509_VERIFY_PARAMS field, however although an > SSL_CTX* has a related store, it ignores the store's params and uses > it's own. > > For a connection pooling implementation, I need to check that an > existing SSL connection is something that could be approved by a given > SSL_CTX*. > I was hoping this would be as simple as doing (error handling omitted > for brevity): > > X509_STORE_CTX_init(vfy_ctx, SSL_CTX_get0_store(ctx), > SSL_get_certificate(ssl), NULL); > X509_verify_cert(vfy_ctx); > > However it appears that I really need to do: > > X509_STORE_CTX_init(vfy_ctx, SSL_CTX_get0_store(ctx), > SSL_get_certificate(ssl), NULL); > X509_VERIFY_PARAM_inherit(X509_STORE_CTX_get0_param(vfy_ctx), > SSL_CTX_get0_param(ctx)); > // X509_STORE_CTX_set_verify_cb based on SSL_CTX_get_verify_callback(ctx) > // X509_STORE_CTX_set0_dane > // etc. etc. > X509_verify_cert(vfy_ctx); > > Is this complexity warranted? > Is there any plan to remove the redundant fields? > > Daurn. Has anyone had time to look into this? I filed the related https://github.com/openssl/openssl/issues/6709 -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
