On 21/09/12 15:04, Stephen Henson via RT wrote: >> [rob.stradl...@comodo.com - Fri Sep 21 15:55:39 2012]: >> >> Hi Steve. >> >> I saw your update (to 1.0.2 and HEAD), and I did start looking at >> backporting it into my 1.0.1/1.0.0/0.9.8 patches. >> >> ssl_get_server_send_pkey() is not available in 1.0.1 and earlier, so the >> t1_lib.c patch would have to be something like... >> >> + X509 *x; >> + x = ssl_get_server_send_cert)s); >> + /* If no certificate can't return certificate status */ >> + if (x == NULL) >> + { >> + s->tlsext_status_expected = 0; >> + return 1; >> + } >> + /* Set current certificate to one we will use so >> + * SSL_get_certificate et al can pick it up. >> + */ >> + s->cert->key->x509 = x; >> >> Is it OK to update s->cert->key->x509 like this? >> > > No because you could end up with all sorts of bad things happening (keys > and certificates not matching, certificate types not matching and memory > leaks).
That's what I thought. > Easiest solution is to also backport ssl_get_server_send_pkey see: > > http://cvs.openssl.org/chngview?cn=22840 I didn't think of that. Thanks! I'll prepare patches to backport 22840 to 1.0.0 and 0.9.8 (unless you or Ben get there first). -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org