Thanks for your review, RĂ¼diger.
+ /* set SSL_CTX (if matched) */
+ if (found && (ssl = ((SSLConnRec *)myConnConfig(c))->ssl) &&
+ (sc = mySrvConfig(s))) {
+ SSL_set_SSL_CTX(ssl, sc->server->ssl_ctx);
+ /*
+ * SSL_set_SSL_CTX() only deals with the server cert,
+ * so we need to duplicate a few additional settings
+ * from the ctx by hand
+ */
+ SSL_set_options(ssl, SSL_CTX_get_options(ssl->ctx));
Sorry for being confused, but shouldn't this be sc->server->ssl_ctx
instead of ssl->ctx?
It would amount to exactly the same thing, in fact. This is OpenSSL's
implementation of SSL_set_SSL_CTX (from ssl/ssl_lib.c):
SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX* ctx)
{
if (ssl->ctx == ctx)
return ssl->ctx;
#ifndef OPENSSL_NO_TLSEXT
if (ctx == NULL)
ctx = ssl->initial_ctx;
#endif
if (ssl->cert != NULL)
ssl_cert_free(ssl->cert);
ssl->cert = ssl_cert_dup(ctx->cert);
CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX);
if (ssl->ctx != NULL)
SSL_CTX_free(ssl->ctx); /* decrement reference count */
ssl->ctx = ctx;
return(ssl->ctx);
}
I.e. calling "SSL_set_SSL_CTX(ssl, sc->server->ssl_ctx)" from modssl
will set ssl->ctx to sc->server->ssl_ctx, so
"SSL_CTX_get_options(ssl->ctx)" and
"SSL_CTX_get_options(sc->server->ssl_ctx)" will do the same thing
afterwards.
My idea was that it would be more appropriate to refer to the newly set
context (that's why the SSL_set_SSL_CTX call is happening - which is
actually the most important step). But on the other hand I have no
strong feelings against using sc->server->ssl_ctx instead, if you prefer
that one.
>> + SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ssl->ctx),
>> + SSL_CTX_get_verify_callback(ssl->ctx));
>
> Same question as above.
Same answer as above :-)
Kaspar