|
Sorry, accidentally skipped that part, which was sort of important. I think I can use the same fix because the part I skipped is the problem:
X509 *cert;
cert = PEM_read_X509(fp, NULL, 0, NULL);
status = X509_STORE_add_cert(trusted_store,cert);
So, I need to this sequence:
X509 *empty_X509;
empty_X509 = X509_new_ex(non_fips_libctx, NULL);
mycert = PEM_read_X509(fp, &empty_X509, 0, NULL);
To set things up correct, with the appropriate library context.
My apologies, thanks for pointing out my small brain.
This could lead to some tricky changes as currently I set up the trust store before I know if the user wants FIPS or not. I may just set up two stores, or I need to change the order of how I do things.
Thanks,
Jason
From: Tomas Mraz <tomas@xxxxxxxxxxx>
Sent: Friday, November 5, 2021 1:52 PM To: Jason Schultz <jetson23@xxxxxxxxxxx>; openssl-users@xxxxxxxxxxx <openssl-users@xxxxxxxxxxx> Subject: Re: Establishing connection errors On Fri, 2021-11-05 at 13:48 +0000, Jason Schultz wrote:
> For setting up the trusted store, when the application starts, it > calls: > > ssl_trusted_certs = X509_STORE_new() > > ...and then reads all of the certificates in /etc/ssl/certs/ calling > X509_STORE_add_cert(trusted_store,cert); > > ..for each one. How do you read the certs? They need to be loaded with the appropriate libctx. Or you can use for example X509_STORE_load_file_ex() function to load a file directly with an libctx. -- Tomáš Mráz No matter how far down the wrong road you've gone, turn back. Turkish proverb [You'll know whether the road is wrong if you carefully listen to your conscience.] |
