Re: SSL_get_certificate

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 09/09/2019 16:21, Viktor Dukhovni wrote:
> One of the "CHANGES" entries for 1.0.1d reads:
> 
>  *) Call OCSP Stapling callback after ciphersuite has been chosen, so
>     the right response is stapled. Also change SSL_get_certificate()
>     so it returns the certificate actually sent.
>     See http://rt.openssl.org/Ticket/Display.html?id=2836.
>     [Rob Stradling <rob.stradling@xxxxxxxxxx>]
> 
> Consequently 1.0.1d and later had the expected behaviour.  However,
> in commits this was updated:
> 
>  dc144417571735c82853421a8845ef603d828a0b (1.0.2-beta1)
>  e5db9c3b67deb80e274f66e3832a9cfba931670c (also master, at the time 1.1.0-dev)
> 
>    Minor enhancement to PR#2836 fix. Instead of modifying SSL_get_certificate
>    change the current certificate (in s->cert->key) to the one used and then
>    SSL_get_certificate and SSL_get_privatekey will automatically work.
> 
> The code for "change the current certificate" was:

> But it only runs if there's a "tlsext_status_cb" callback, which may
> not cover all the expected use-cases.  I think this merits a new
> issue on Github.

Thanks.  Fortunately it covers mine; I "just" need to work out
how to match up an OCSP resp to the cert.

Could we also get SSL_get_certificate documented?  It doesn't
seem to be currently, despite
https://www.openssl.org/docs/manmaster/man3/SSL_get_tlsext_status_ocsp_resp.html
saying the server should use it.

Another reason for wanting this will be for TLS1.3 with whole-chain stapling.
I wonder whether the library could provide more built-in support for stapling -
attaching the status (chain)(s) to the server certificate chain(s) before
SSL_accept() rather than doing (multiple) callbacks on seeing the client
status-request.
-- 
Cheers,
  Jeremy



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux