I looked at the patch in question and it seems reasonable to me. That should
work fine on much older versions of OpenSSL it's just that now some things are
enforced that weren't before.
A little nit in ssl_engine_init.c:
instead of
- SSL_CTX_set_client_CA_list(ctx, (STACK *)ca_list);
+ SSL_CTX_set_client_CA_list(ctx, (STACK_OF(X509_NAME) *)ca_list);
I think I'd prefer
+ SSL_CTX_set_client_CA_list(ctx, ca_list);
and a few lines later instead of
ca_list = (STACK_OF(X509_NAME) *)SSL_CTX_get_client_CA_list(ctx);
it should be
ca_list = SSL_CTX_get_client_CA_list(ctx);
There is some non-portable code round there that accesses extensions in a most
convoluted fashion for some unknown reason.
the stuff in ..vars.c ssl_ext_list?
Steve.
/p
