On 17/11/2013 15:25, Dr Stephen Henson wrote: > > Evil hack workaround: create a temporary SSL structure from the SSL_CTX of > interest after you call SSL_CTX_get_certificate, call SSL_get_certificate on > it > and then free up the temp SSL structure. That *should* work on all the > versions > of OpenSSL of interest. That's not very efficient and makes me cringe a bit > but > you'd only go through it once on start up. >
Erk typo.. I of course meant "...after you call SSL_CTX_use_certificate_file or SSL_CTX_use_certificate_chain_file..." A point to note about SSL_CTX_use_certificate_chain_file, at least in its current form. If the certificate file contains additional certificates this will end up adding them to the SSL_CTX using SSL_CTX_add_extra_chain_cert. That is more efficient as it doesn't have to try and build the chain on each call. Unfortunately due to a limitation in OpenSSL 1.0.1 and earlier you can only have one chain for the SSL_CTX shared by all certificate types and all SSL structures created from it. That means if you have more than one certificate configured and they have different chains the second will replace the first in the SSL_CTX and it will end up sending the wrong chain in some cases. For OpenSSL 1.0.2 this limitation is removed and you can have different chains for each certificate type (and for SSL structures too) and it just uses the right one. This uses the function SSL_CTX_add1_chain_cert which adds a certificate to the chain for the current certificate. I *could* change SSL_CTX_use_certificate_chain_file to use SSL_CTX_add1_chain_cert instead of SSL_CTX_add_extra_chain_cert or perhaps have a different function. I'm always cautious about changing the behaviour of existing functions though as the most innocent change will usually break *something*, though I can't see how it can in this case. Steve. -- Dr Stephen Henson. OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 +1 877-673-6775 shen...@opensslfoundation.com
