On 01/02/2014 07:43, Kaspar Brand wrote: > > Steve, I'm using this opportunity for a short reminder about [1] - any > comments about that? Should we try to get this into 2.4.8? >
On the subject of reminders and SSL_CONF. The code that handles SSL_CONF has something which manually checks for the "Certificate" command in order to handle stapling initialisation. Ideally that should be avoided with SSL_CONF because in future additional commands might be added to SSL_CONF which can affect certificates too and possibly multiple certificates simultaneously (e.g. imagine something loading several certificates and keys from a single source). Those would then have to be manually added to any application and one of the aims of SSL_CONF is to avoid the need to keep modifying applications to handle (some) new functionality. I'm wondering how that could be avoided. Would a way to enumerate all certificates in an SSL_CTX structure in OpenSSL help? Something like SSL_CTX_get0_first_certificate() and SSL_CTX_get0_next_certificate(). That would also set the current certificate at the same time in case applications wanted to inspect the private key or chain. Steve. -- Dr Stephen Henson. OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 +1 877-673-6775 shen...@opensslfoundation.com
