On Mon, May 18, 2020 at 3:58 PM William Lallemand <wlallem...@haproxy.com> wrote: > I suppose it was put in a PKCS7 container to be able to distinguish each > DER part of the chain easily? So It can be used by an external tool. I'm not > sure of what is done with the result of this. > > The two patches seem to have different approches, Arjen's one is > using a SSL_get0_verified_chain() and Mathild's one is using > SSL_get_peer_cert_chain(). I'm not sure what approach is the best, I > suppose that SSL_get_peer_cert_chain() is better if we want to have the > chain event if it wasn't verified and it could be completed with the > ssl_c_verify sample fetch if we need this information! > > I will be grateful if a .vtc test file is also provided with sample > fetches patches, it's difficult to test every sample fetches nowadays. > > There is already a vtc for client auth which is available here: > https://git.haproxy.org/?p=haproxy.git;a=blob;f=reg-tests/ssl/ssl_client_auth.vtc
Thanks for the feedbacks. I believe we will send our proposition soon. -- William