mod_ssl has this comment in ssl_engine_kernel.c:
/*
* override SSLCACertificateFile & SSLCACertificatePath
* This is tagged experimental because it has to use an ugly kludge: We
* have to change the locations inside the SSL_CTX* (per-server global)
* instead inside SSL* (per-connection local) and reconfigure it to the
* old values later. That's problematic at least for the threaded process
* model of Apache under Win32 or when an error occurs. But unless
* OpenSSL provides a SSL_load_verify_locations() function we've no other
* chance to provide this functionality...
*/
i saw references to a STATUS file in the mail archives that ralf was
working on this, but doesn't seem to have happened yet. the simple
patch below implements the required functions to change the cert_store
in the SSL structure, rather than SSL_CTX. this is required for this
feature of mod_ssl to be threadsafe with apache 2.0.
--- ./ssl/ssl.h~ Mon Dec 17 11:24:39 2001
+++ ./ssl/ssl.h Fri Mar 15 09:30:13 2002
@@ -675,6 +675,8 @@
int first_packet;
int client_version; /* what was passed, used for
* SSLv3/TLS rollback check */
+
+ struct x509_store_st /* X509_STORE */ *cert_store;
};
#ifdef __cplusplus
@@ -928,7 +930,9 @@
void SSL_CTX_free(SSL_CTX *);
long SSL_CTX_set_timeout(SSL_CTX *ctx,long t);
long SSL_CTX_get_timeout(SSL_CTX *ctx);
+X509_STORE *SSL_get_cert_store(SSL *);
X509_STORE *SSL_CTX_get_cert_store(SSL_CTX *);
+void SSL_set_cert_store(SSL *,X509_STORE *);
void SSL_CTX_set_cert_store(SSL_CTX *,X509_STORE *);
int SSL_want(SSL *s);
int SSL_clear(SSL *s);
@@ -1136,7 +1140,10 @@
void SSL_set_shutdown(SSL *ssl,int mode);
int SSL_get_shutdown(SSL *ssl);
int SSL_version(SSL *ssl);
+int SSL_set_default_verify_paths(SSL *ssl);
int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx);
+int SSL_load_verify_locations(SSL *ssl, const char *CAfile,
+ const char *CApath);
int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
const char *CApath);
#define SSL_get0_session SSL_get_session /* just peek at pointer */
--- ./ssl/ssl_lib.c~ Wed Oct 24 12:05:26 2001
+++ ./ssl/ssl_lib.c Fri Mar 15 11:28:51 2002
@@ -371,6 +371,7 @@
ssl_clear_cipher_ctx(s);
if (s->cert != NULL) ssl_cert_free(s->cert);
+ if (s->cert_store != NULL) X509_STORE_free(s->cert_store);
/* Free up if allocated */
if (s->ctx) SSL_CTX_free(s->ctx);
@@ -1929,11 +1930,22 @@
}
#ifndef NO_STDIO
+int SSL_set_default_verify_paths(SSL *ssl)
+ {
+ return(X509_STORE_set_default_paths(ssl->cert_store));
+ }
+
int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx)
{
return(X509_STORE_set_default_paths(ctx->cert_store));
}
+int SSL_load_verify_locations(SSL *ssl, const char *CAfile,
+ const char *CApath)
+ {
+ return(X509_STORE_load_locations(ssl->cert_store,CAfile,CApath));
+ }
+
int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
const char *CApath)
{
@@ -2007,11 +2019,26 @@
return(1);
}
+X509_STORE *SSL_get_cert_store(SSL *ssl)
+ {
+ if (ssl->cert_store != NULL)
+ return ssl->cert_store;
+ else
+ return ssl->ctx->cert_store;
+ }
+
X509_STORE *SSL_CTX_get_cert_store(SSL_CTX *ctx)
{
return(ctx->cert_store);
}
+void SSL_set_cert_store(SSL *ssl,X509_STORE *store)
+ {
+ if (ssl->cert_store != NULL)
+ X509_STORE_free(ssl->cert_store);
+ ssl->cert_store=store;
+ }
+
void SSL_CTX_set_cert_store(SSL_CTX *ctx,X509_STORE *store)
{
if (ctx->cert_store != NULL)
--- ./ssl/ssl_cert.c~ Tue Jul 31 03:20:53 2001
+++ ./ssl/ssl_cert.c Fri Mar 15 09:33:16 2002
@@ -442,12 +442,14 @@
X509 *x;
int i;
X509_STORE_CTX ctx;
+ X509_STORE *cert_store = s->cert_store ?
+ s->cert_store : s->ctx->cert_store;
if ((sk == NULL) || (sk_X509_num(sk) == 0))
return(0);
x=sk_X509_value(sk,0);
- X509_STORE_CTX_init(&ctx,s->ctx->cert_store,x,sk);
+ X509_STORE_CTX_init(&ctx,cert_store,x,sk);
if (SSL_get_verify_depth(s) >= 0)
X509_STORE_CTX_set_depth(&ctx, SSL_get_verify_depth(s));
X509_STORE_CTX_set_ex_data(&ctx,SSL_get_ex_data_X509_STORE_CTX_idx(),s);
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
