On Fri, Sep 21, 2001 at 10:50:55AM -0400, Andrew Finnell wrote:
I have come across a little delima.. I set a password callback on a
SSL_CTX, and when I went to write the implementatino I realized I couldn't
determine what SSL * connection was currently in use.. And every SSL
connection I have uses a different set of certificate/key pairs. So what is
the normal way of determining what connection and/or what cert/key pair
needs the password?
I just had a look into the source. The password callback (and userdata)
are only set once per SSL_CTX object. When the certificates and keys are read
in, the ctx-default_passwd_callback() is unconditionally used regardless
of which SSL object is currently treated. The function is actually handed to
e.g. PEM_read_bio_RSAPrivateKey(), which does not even know, what an SSL
object (or SSL_CTX object) is (see ssl/ssl_rsa.c:SSL_use_certificate_file().
The answer to your question therefore is:
The OpenSSL API does not support per-SSL object password callbacks, only
per-SSL_CTX password callbacks are supported.
The same applies for the userdata field, so that one can also not use it
it to pass the information about the SSL object.
Proposed solution: read the key directly using e.g. PEM_read_bio_RSAPrivateKey()
and friends, freely using the password callback of your choice, then
load the key using SSL_use_RSAPrivateKey() and friends.
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
