On Mon, May 18, 2020 at 02:49:28PM +0200, William Dauchy wrote: > Hello William L., > > On Wed, Dec 4, 2019 at 4:24 PM PR Bot <haproxy-pr-bot-no-re...@ltri.eu> wrote: > > Patch title(s): > > MINOR: add fetch 'ssl_c_verified_chain' > > Merge branch 'master' of https://github.com/haproxy/haproxy > > Link: > > https://github.com/haproxy/haproxy/pull/396 > > Edit locally: > > wget https://github.com/haproxy/haproxy/pull/396.patch && vi 396.patch > > Apply locally: > > curl https://github.com/haproxy/haproxy/pull/396.patch | git am - > > We were wondering if you add the time to have a look at this one? > In fact we have a similar need and Mathilde started to work on a very > similar patch, see > https://github.com/ShimmerGlass/haproxy/commit/c63116fe7048320abc41709e4d1b25513da91f57 > difference being, Mathilde simply concatenated the certs, and the > patch from Arjen, uses PKCS7. Is there any specific reason to use > PKCS7? > > note: it also refers to https://github.com/haproxy/haproxy/issues/297 > > Best,
Hello, I suppose it was put in a PKCS7 container to be able to distinguish each DER part of the chain easily? So It can be used by an external tool. I'm not sure of what is done with the result of this. The two patches seem to have different approches, Arjen's one is using a SSL_get0_verified_chain() and Mathild's one is using SSL_get_peer_cert_chain(). I'm not sure what approach is the best, I suppose that SSL_get_peer_cert_chain() is better if we want to have the chain event if it wasn't verified and it could be completed with the ssl_c_verify sample fetch if we need this information! I will be grateful if a .vtc test file is also provided with sample fetches patches, it's difficult to test every sample fetches nowadays. There is already a vtc for client auth which is available here: https://git.haproxy.org/?p=haproxy.git;a=blob;f=reg-tests/ssl/ssl_client_auth.vtc Thanks! -- William Lallemand