Bodo Moeller writes:
>"Simon J. Gerraty" <[EMAIL PROTECTED]>:
>> A quick look though CHANGES and apps/* did not show much in the way
>> of API changes [...] but after a successful call to
>> SSL_CTX_use_PrivateKey_file(), SSL_get_certificate(ssl_con) returns
>> NULL.
>Actually this may be mentioned in CHANGES, because the problem
>could be that the program first calls SSL_new and then
>SSL_CTX_use_PrivateKey_file:
Yes that is indeed my problem.
The comment in ssl_lib.c says:
/* Earlier library versions used to copy the pointer to
* the CERT, not its contents; only when setting new
* parameters for the per-SSL copy, ssl_cert_new would be
* called (and the direct reference to the per-SSL_CTX
* settings would be lost, but those still were indirectly
* accessed for various purposes, and for that reason they
* used to be known as s->ctx->default_cert).
* Now we don't look at the SSL_CTX's CERT after having
* duplicated it once. */
This says what was changed, but gives no justification for it.
Is there some class of problem which is solved by this change?
>From my quick look, this change blows me out of the water - I've relied
on the shallow copying that SSLeay did and indeed used it myself when
cloning SSL*.
Are there new API's in OpenSSL to support updating a prototype SSL* with
the cert struct from the SSL_CTX*? What about cloning the SSL*'s cert struct?
Is a shallow copy a problem? I assume so, otherwise why the change above?
Re-ordering everything so that the first call to SSL_new() is after the
reading of the private key will complicate things in ugly ways. And that
still does not address the issue of cloning subsequent SSL* (assuming there
is no API to do it).
I'd hate to have to resort to frobbing structs directly.
Even something like:
if (ssl_con->cert)
ssl_cert_free(ssl_con->cert);
ssl_con->cert = ssl_cert_dup(ssl_ctx->cert);
requires embeding knowledge of the various stucts in my code.
Input welcome :-)
--sjg
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]