[openssl.org #2751] [ENHANCEMENT] Request moving static get_issuer_sk before X509_verify_cert
Fixed in HEAD. Now le'ts see those cross-certify enhancements :) commit c9a81b3026dcd2e78ce3ee85bfd93e3d0f1eac71 Author: Rich Salz rs...@akamai.com Date: Fri Aug 15 17:20:26 2014 -0400 RT2751: Declare get_issuer_sk() earlier. Add a declaration for get_issuer_sk() so that other functions in x509_vf.c could use it. (Planned work around cross-certification chains.) Reviewed-by: Kurt Roeckx k...@openssl.org -- Rich Salz, OpenSSL dev team; rs...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #2751] [ENHANCEMENT] Request moving static get_issuer_sk before X509_verify_cert
- Original Message - From: Stephen Henson via RT r...@openssl.org To: var...@yahoo.com Cc: openssl-dev@openssl.org Sent: Saturday, March 3, 2012 8:31 AM Subject: [openssl.org #2751] [ENHANCEMENT] Request moving static get_issuer_sk before X509_verify_cert [var...@yahoo.com - Sat Mar 03 13:23:18 2012]: I'll submit another request related to why I want this done; but the move itself should be OK, I think. [I would like to be able to check the trusted store for any matching issuer when building the client-verification chain. This is related to issues from Cross- Certification.] Note there is a flag X509_V_FLAG_TRUSTED_FIRST in HEAD which may do what you want. Yes, this is what I was looking at doing and very similar to how I was going to do it. Is there API support for this? E.g., to set from mod_ssl? I don't see anything, so I'm just reaching in through ctx-param to set it, but if there's a better/more proper way, I'd prefer to do it that way. Also, is this targetted for 1.0.2, I guess? and, would it be possible to back-port it to the 0.9.8 branch? I'd love to have, e,g,, RHEL5 pick it up natively. The patch should be attached... Thanks, Kevin openssl-fips-0.9.8e-use-trusted.patch Description: Binary data
Re: [openssl.org #2751] [ENHANCEMENT] Request moving static get_issuer_sk before X509_verify_cert
- Original Message - From: Stephen Henson via RT r...@openssl.org To: var...@yahoo.com Cc: openssl-dev@openssl.org Sent: Saturday, March 3, 2012 8:31 AM Subject: [openssl.org #2751] [ENHANCEMENT] Request moving static get_issuer_sk before X509_verify_cert [var...@yahoo.com - Sat Mar 03 13:23:18 2012]: I'll submit another request related to why I want this done; but the move itself should be OK, I think. [I would like to be able to check the trusted store for any matching issuer when building the client-verification chain. This is related to issues from Cross- Certification.] Note there is a flag X509_V_FLAG_TRUSTED_FIRST in HEAD which may do what you want. Yes, this is what I was looking at doing and very similar to how I was going to do it. Is there API support for this? E.g., to set from mod_ssl? I don't see anything, so I'm just reaching in through ctx-param to set it, but if there's a better/more proper way, I'd prefer to do it that way. Also, is this targetted for 1.0.2, I guess? and, would it be possible to back-port it to the 0.9.8 branch? I'd love to have, e,g,, RHEL5 pick it up natively. The patch should be attached... Thanks, Kevin - Original Message - From: Stephen Henson via RT r...@openssl.org To: var...@yahoo.com Cc: openssl-dev@openssl.org Sent: Saturday, March 3, 2012 8:31 AM Subject: [openssl.org #2751] [ENHANCEMENT] Request moving static get_issuer_sk before X509_verify_cert [var...@yahoo.com - Sat Mar 03 13:23:18 2012]: I'll submit another request related to why I want this done; but the move itself should be OK, I think. [I would like to be able to check the "trusted" store for any matching issuer when building the client-verification chain. This is related to issues from Cross- Certification.] Note there is a flag X509_V_FLAG_TRUSTED_FIRST in HEAD which may do what you want.Yes, this is what I was looking at doing and very similar to how I was going to do it. Is there API support for this? E.g., to set from mod_ssl? I don't see anything, so I'm just reaching in through ctx-param to set it, but if there's a better/more proper way, I'd prefer to do it that way.Also, is this targetted for 1.0.2, I guess? and, would it be possible to back-port it to the 0.9.8 branch? I'd love to have, e,g,, RHEL5 pick it up natively. The patch should be attached... Thanks,Kevin openssl-fips-0.9.8e-use-trusted.patch Description: Binary data
Re: [openssl.org #2751] [ENHANCEMENT] Request moving static get_issuer_sk before X509_verify_cert
On Fri, Mar 09, 2012, Kevin Vargo via RT wrote: - Original Message - From: Stephen Henson via RT r...@openssl.org To: var...@yahoo.com Cc: openssl-dev@openssl.org Sent: Saturday, March 3, 2012 8:31 AM Subject: [openssl.org #2751] [ENHANCEMENT] Request moving static get_issuer_sk before X509_verify_cert [var...@yahoo.com - Sat Mar 03 13:23:18 2012]: I'll submit another request related to why I want this done; but the move itself should be OK, I think. [I would like to be able to check the trusted store for any matching issuer when building the client-verification chain. This is related to issues from Cross- Certification.] Note there is a flag X509_V_FLAG_TRUSTED_FIRST in HEAD which may do what you want. Yes, this is what I was looking at doing and very similar to how I was going to do it. Is there API support for this? E.g., to set from mod_ssl? I don't see anything, so I'm just reaching in through ctx-param to set it, but if there's a better/more proper way, I'd prefer to do it that way. You can use X509_VERIFY_PARAM_set_flags() on an X509_VERIFY_PARAM structure and pass those to the SSL_CTX using SSL_CTX_set1_param(). Also, is this targetted for 1.0.2, I guess? and, would it be possible to back-port it to the 0.9.8 branch? I'd love to have, e,g,, RHEL5 pick it up natively. It is targeted for 1.0.2 but it will never appear in 1.0.0 or 0.9.8 as new features no longer appear in stable branches. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #2751] [ENHANCEMENT] Request moving static get_issuer_sk before X509_verify_cert
I'd like to request moving the static function get_issuer_sk higher in the x509_vf.c file, to permit it's use by other functions in the file, such as: int X509_verify_cert(X509_STORE_CTX *ctx) Attached is the patch that simply moves the function's declaration higher up in the file. I'll submit another request related to why I want this done; but the move itself should be OK, I think. [I would like to be able to check the trusted store for any matching issuer when building the client-verification chain. This is related to issues from Cross-Certification.] I'd like to request moving the static function get_issuer_sk higher in the x509_vf.c file, to permit it's use by other functions in the file, such as: int X509_verify_cert(X509_STORE_CTX *ctx)Attached is the patch that simply moves the function's declaration higher up in the file.I'll submit another request related to why I want this done; but the move itself should be OK, I think. [I would like to be able to check the "trusted" store for any matching issuer when building the client-verification chain. This is related to issues from Cross-Certification.] x509_vfy.c-issuer_sk.patch Description: Binary data
[openssl.org #2751] [ENHANCEMENT] Request moving static get_issuer_sk before X509_verify_cert
[var...@yahoo.com - Sat Mar 03 13:23:18 2012]: I'll submit another request related to why I want this done; but the move itself should be OK, I think. [I would like to be able to check the trusted store for any matching issuer when building the client-verification chain. This is related to issues from Cross- Certification.] Note there is a flag X509_V_FLAG_TRUSTED_FIRST in HEAD which may do what you want. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
