Re: ssl_con->cert->key->x509 NULL after successful load?

Tue, 3 Aug 1999 07:25:33 -0700 

Bodo Moeller writes:
>"Simon J. Gerraty" <[EMAIL PROTECTED]>:
>> A quick look though CHANGES and apps/* did not show much in the way
>> of API changes [...] but after a successful call to
>> SSL_CTX_use_PrivateKey_file(), SSL_get_certificate(ssl_con) returns
>> NULL.

>Actually this may be mentioned in CHANGES, because the problem
>could be that the program first calls SSL_new and then
>SSL_CTX_use_PrivateKey_file:

Yes that is indeed my problem. 
The comment in ssl_lib.c says:

                /* Earlier library versions used to copy the pointer to
                 * the CERT, not its contents; only when setting new
                 * parameters for the per-SSL copy, ssl_cert_new would be
                 * called (and the direct reference to the per-SSL_CTX
                 * settings would be lost, but those still were indirectly
                 * accessed for various purposes, and for that reason they
                 * used to be known as s->ctx->default_cert).
                 * Now we don't look at the SSL_CTX's CERT after having
                 * duplicated it once. */

This says what was changed, but gives no justification for it.
Is there some class of problem which is solved by this change?

>From my quick look, this change blows me out of the water - I've relied
on the shallow copying that SSLeay did and indeed used it myself when 
cloning SSL*.

Are there new API's in OpenSSL to support updating a prototype SSL* with
the cert struct from the SSL_CTX*?  What about cloning the SSL*'s cert struct? 
Is a shallow copy a problem?   I assume so, otherwise why the change above?

Re-ordering everything so that the first call to SSL_new() is after the
reading of the private key will complicate things in ugly ways.  And that
still does not address the issue of cloning subsequent SSL* (assuming there 
is no API to do it).

I'd hate to have to resort to frobbing structs directly.
Even something like:

        if (ssl_con->cert)
                ssl_cert_free(ssl_con->cert); 
        ssl_con->cert = ssl_cert_dup(ssl_ctx->cert);

requires embeding knowledge of the various stucts in my code.

Input welcome :-)

--sjg



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to