On 21/09/12 15:04, Stephen Henson via RT wrote:
>> [rob.stradl...@comodo.com - Fri Sep 21 15:55:39 2012]:
>>
>> Hi Steve.
>>
>> I saw your update (to 1.0.2 and HEAD), and I did start looking at
>> backporting it into my 1.0.1/1.0.0/0.9.8 patches.
>>
>> ssl_get_server_send_pkey() is not available in 1.0.1 and earlier, so the
>> t1_lib.c patch would have to be something like...
>>
>> + X509 *x;
>> + x = ssl_get_server_send_cert)s);
>> + /* If no certificate can't return certificate status */
>> + if (x == NULL)
>> + {
>> + s->tlsext_status_expected = 0;
>> + return 1;
>> + }
>> + /* Set current certificate to one we will use so
>> + * SSL_get_certificate et al can pick it up.
>> + */
>> + s->cert->key->x509 = x;
>>
>> Is it OK to update s->cert->key->x509 like this?
>>
>
> No because you could end up with all sorts of bad things happening (keys
> and certificates not matching, certificate types not matching and memory
> leaks).
That's what I thought.
> Easiest solution is to also backport ssl_get_server_send_pkey see:
>
> http://cvs.openssl.org/chngview?cn=22840
I didn't think of that. Thanks!
I'll prepare patches to backport 22840 to 1.0.0 and 0.9.8 (unless you or
Ben get there first).
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
