Hi All,

On 5/18/20 4:32 PM, William Dauchy wrote:
> On Mon, May 18, 2020 at 3:58 PM William Lallemand
> <wlallem...@haproxy.com> wrote:
>> I suppose it was put in a PKCS7 container to be able to distinguish each
>> DER part of the chain easily? So It can be used by an external tool. I'm not
>> sure of what is done with the result of this.
>>
>> The two patches seem to have different approches, Arjen's one is
>> using a SSL_get0_verified_chain() and Mathild's one is using
>> SSL_get_peer_cert_chain(). I'm not sure what approach is the best, I
>> suppose that SSL_get_peer_cert_chain() is better if we want to have the
>> chain event if it wasn't verified and it could be completed with the
>> ssl_c_verify sample fetch if we need this information!
>>
>> I will be grateful if a .vtc test file is also provided with sample
>> fetches patches, it's difficult to test every sample fetches nowadays.
>>
>> There is already a vtc for client auth which is available here:
>> https://git.haproxy.org/?p=haproxy.git;a=blob;f=reg-tests/ssl/ssl_client_auth.vtc
> 
> Thanks for the feedbacks. I believe we will send our proposition soon.
> 

According to openssl's doc about SSL_get_peer_cert_chain, 
SSL_get0_verified_chain:

NOTES
If the session is resumed peers do not send certificates so a NULL pointer is 
returned by these functions.

It would be great if the ssl_c_ 's documentations precise if those information 
won't return something on resumed sessions.

R,
Emeric

Reply via email to