On Mon, 2016-07-11 at 13:08 +0000, Mattias Ellert via RT wrote: > > > Looking at the various places in the code where get_issuer > and check_issued are accessed, they mostly use the context rather than > the store. Here are the places I have found: > > https://sources.debian.net/src/nordugrid-arc/5.1.2-1/src/hed/libs/credential/CertUtil.cpp/#L71 > > https://sources.debian.net/src/canl-c/2.1.6-2/src/proxy/sslutils.c/#L1581 > > https://sources.debian.net/src/voms/2.0.13-1/src/sslutils/sslutils.c/#L1588 > > https://sources.debian.net/src/globus-gsi-callback/5.8-2/library/globus_gsi_callback.c/#L367 > > https://sources.debian.net/src/globus-gsi-callback/5.8-2/library/globus_gsi_callback.c/#L1059 > > https://sources.debian.net/src/globus-gsi-credential/7.9-2/library/globus_gsi_cred_handle.c/#L1997 > > And the following one actually uses the store and not the context: > > https://sources.debian.net/src/globus-gssapi-gsi/12.1-1/library/globus_i_gsi_gss_utils.c/#L448
I was using store.get_issuer() in OpenConnect too, because I need to manually build the trust chain to include it on the wire — because even today the server might *still* suffer RT#1942 and fail to trust our client cert unless we help it by providing the *right* chain. I've worked around the lack of access to get_issuer() by doing a dummy call to X509_verify_cert(), throwing away its result and then hoping that we have something useful in store.chain (which we *can* still access). That seems to work but I'm not stunningly happy with it; if we can have an accessor I'd much rather go back to doing it the old way. http://git.infradead.org/users/dwmw2/openconnect.git/commitdiff/0d635a0 (in workaround_openssl_certchain_bug() in the hunk around line 1306) -- dwmw2 -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
