On 17/11/2013 15:01, Kaspar Brand wrote: > > One issue I'm facing with the current implementation is that when > relying on SSL_CTX_use_certificate_file/ > SSL_CTX_use_certificate_chain_file to configure the cert, there's no way > to get at the X509 * which really got configured for the SSL_CTX > (remember that we're compiling with OPENSSL_NO_SSL_INTERN for OpenSSL > 1.0.0 or later). >
I don't think it helps if you don't use OPENSSL_NO_SSL_INTERN either. The actual certificate configured is in a CERT structure (which can be part of SSL_CTX or SSL structures) which is defined in a private header file. > Steve, could you consider adding SSL_CTX_get_certificate, which would > allow retrieving the "current cert" (i.e. one set by the last > SSL_CTX_use_certificate* call)? And perhaps SSL_CTX_get_privatekey as > its companion, at the same time? Without SSL_CTX_get_certificate at > least, we can't call ssl_stapling_init_cert, unfortunately. > I can certainly add functions to OpenSSL 1.0.2 and later, I'd regard it as a useful addition. It's problematical adding it to earlier releases as we have a "no new functionality" policy for bug fix releases. Evil hack workaround: create a temporary SSL structure from the SSL_CTX of interest after you call SSL_CTX_get_certificate, call SSL_get_certificate on it and then free up the temp SSL structure. That *should* work on all the versions of OpenSSL of interest. That's not very efficient and makes me cringe a bit but you'd only go through it once on start up. Steve. -- Dr Stephen Henson. OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 +1 877-673-6775 [email protected]
