Sorry, I attached wrong patch file.
I re-post the patch file again.
On Thu, Sep 15, 2016 at 04:10:55PM +0900, Kinichiro Inoguchi wrote:
> Hi,
>
> I would like to fix this SNI issue.
>
> reported by @davidben
> https://github.com/libressl-portable/openbsd/issues/69
>
> #3560: OpenSSL selects weak digest for (EC)DH
> https://rt.openssl.org/Ticket/Display.html?id=3560
>
> original OpenSSL commit is here.
> https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=4e05aedbcab7f7f83a887e952ebdcc5d4f2291e4
>
> I will add a patch for this.
> ok ?
Index: ssl_lib.c
===
RCS file: /cvs/src/lib/libssl/ssl_lib.c,v
retrieving revision 1.116
diff -u -p -u -r1.116 ssl_lib.c
--- ssl_lib.c 25 Oct 2015 15:52:49 - 1.116
+++ ssl_lib.c 15 Sep 2016 07:25:34 -
@@ -2847,13 +2847,22 @@ SSL_get_SSL_CTX(const SSL *ssl)
SSL_CTX *
SSL_set_SSL_CTX(SSL *ssl, SSL_CTX* ctx)
{
+ CERT *ocert = ssl->cert;
if (ssl->ctx == ctx)
return (ssl->ctx);
if (ctx == NULL)
ctx = ssl->initial_ctx;
- if (ssl->cert != NULL)
- ssl_cert_free(ssl->cert);
ssl->cert = ssl_cert_dup(ctx->cert);
+ if (ocert != NULL) {
+ int i;
+ /* Copy negotiated digests from original */
+ for (i = 0; i < SSL_PKEY_NUM; i++) {
+ CERT_PKEY *cpk = ocert->pkeys + i;
+ CERT_PKEY *rpk = ssl->cert->pkeys + i;
+ rpk->digest = cpk->digest;
+ }
+ ssl_cert_free(ocert);
+ }
CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX);
SSL_CTX_free(ssl->ctx); /* decrement reference count */
ssl->ctx = ctx;
