Hi All, On 5/18/20 4:32 PM, William Dauchy wrote: > On Mon, May 18, 2020 at 3:58 PM William Lallemand > <wlallem...@haproxy.com> wrote: >> I suppose it was put in a PKCS7 container to be able to distinguish each >> DER part of the chain easily? So It can be used by an external tool. I'm not >> sure of what is done with the result of this. >> >> The two patches seem to have different approches, Arjen's one is >> using a SSL_get0_verified_chain() and Mathild's one is using >> SSL_get_peer_cert_chain(). I'm not sure what approach is the best, I >> suppose that SSL_get_peer_cert_chain() is better if we want to have the >> chain event if it wasn't verified and it could be completed with the >> ssl_c_verify sample fetch if we need this information! >> >> I will be grateful if a .vtc test file is also provided with sample >> fetches patches, it's difficult to test every sample fetches nowadays. >> >> There is already a vtc for client auth which is available here: >> https://git.haproxy.org/?p=haproxy.git;a=blob;f=reg-tests/ssl/ssl_client_auth.vtc > > Thanks for the feedbacks. I believe we will send our proposition soon. >
According to openssl's doc about SSL_get_peer_cert_chain, SSL_get0_verified_chain: NOTES If the session is resumed peers do not send certificates so a NULL pointer is returned by these functions. It would be great if the ssl_c_ 's documentations precise if those information won't return something on resumed sessions. R, Emeric