> [dw...@infradead.org - Tue Jun 02 15:21:30 2009]:
>
> On Tue, 2009-06-02 at 13:40 +0200, Stephen Henson via RT wrote:
> > If however we are going to revise this I'd say we should use
> > X509_verify_cert to build the chain instead of more ad-hoc stuff.
>
> This seems to work... only tested for
On Fri, 2009-06-26 at 16:53 +0200, Dr. Stephen Henson wrote:
> Sorry for delay in replying doing a shed load of other stuff at present. The
> patch looks OK but will make a few minor changes to it, set the cert in
> X509_STORE_CTX_init() instead of the structure accedd.
Does it help if I resubmit
ame,
> > > and if that happens then ssl3_output_cert_chain() may select the wrong
> > > one because it just picks a certificate by name and doesn't actually
> > > _check_ if it really is the right one.
> > >
> > > There's a function which gets this right; X5
On Tue, 2009-06-02 at 13:40 +0200, Stephen Henson via RT wrote:
> > [dw...@infradead.org - Sun May 31 22:08:11 2009]:
> >
> > It's possible for multiple certificates to have the same subject name,
> > and if that happens then ssl3_output_cert_chain() may select the
On Tue, 2009-06-02 at 15:21 +0200, David Woodhouse via RT wrote:
> On Tue, 2009-06-02 at 13:40 +0200, Stephen Henson via RT wrote:
> > If however we are going to revise this I'd say we should use
> > X509_verify_cert to build the chain instead of more ad-hoc stuff.
>
> This seems to work... only t
On Tue, 2009-06-02 at 15:21 +0200, David Woodhouse via RT wrote:
> On Tue, 2009-06-02 at 13:40 +0200, Stephen Henson via RT wrote:
> > If however we are going to revise this I'd say we should use
> > X509_verify_cert to build the chain instead of more ad-hoc stuff.
>
> This seems to work... only t
t;data[*l]);
+ l2n3(n,p);
+ i2d_X509(x,&p);
+ *l+=n+3;
+
+ return(0);
+ }
+
unsigned long ssl3_output_cert_chain(SSL *s, X509 *x)
{
unsigned char *p;
- int n,i;
+ int i;
unsigned long l=
9(x,&p);
+ *l+=n+3;
+
+ return(0);
+ }
+
unsigned long ssl3_output_cert_chain(SSL *s, X509 *x)
{
unsigned char *p;
int n,i;
unsigned long l=7;
BUF_MEM *buf;
- X509_STORE_CTX xs_ctx;
- X509_OBJECT obj;
-
> [dw...@infradead.org - Sun May 31 22:08:11 2009]:
>
> It's possible for multiple certificates to have the same subject name,
> and if that happens then ssl3_output_cert_chain() may select the wrong
> one because it just picks a certificate by name and doesn't actually
It's possible for multiple certificates to have the same subject name,
and if that happens then ssl3_output_cert_chain() may select the wrong
one because it just picks a certificate by name and doesn't actually
_check_ if it really is the right one.
There's a function which
message' from the server.
The fix seem to be a simple one, just send the extra CA certs only when
there is a sender certificate. I made that change and things working
fine for me.
Can some one please verify the following code change ?
version: 0.9.8e
file: ssl/s3_both.c
function: ssl3_ou
Hi Experts,
I would like to know what "ssl3_output_cert_chain(SSL *s, X509 *x)" does and
what it is intended to do when called from inside
"ssl3_send_server_certificate(SSL *s)". This I am asking after doing a lot
of googling and unab
[levitte - Thu Nov 14 19:13:05 2002]:
> Bodo, if you haven't had more correspondence on this ticket, you
> probably should resolve it...
No more information, so I'll resolve now.
Lutz
__
OpenSSL Project
Bodo, if you haven't had more correspondence on this ticket, you
probably should resolve it...
[bodo - Thu Aug 29 13:08:00 2002]:
> Can you elaborate what you think is buggy?
>
> 'make test' still succeeds if you substitute 10 for
> SSL3_RT_MAX_PLAIN_LENGTH in ssl3_write_bytes (ssl/s3_pkt.c),
Can you elaborate what you think is buggy?
'make test' still succeeds if you substitute 10 for
SSL3_RT_MAX_PLAIN_LENGTH in ssl3_write_bytes (ssl/s3_pkt.c),
which sort of simulates very long certificate chains.
There is a limit to certificate chains (SSL_MAX_CERT_LIST_DEFAULT by
_
It seems possible that for certain very long certificate
chains the length will exceed the maximum ssl record
length (16384). While this appears to be very unlikely
the code could be buggy. Any thoughts?
__
OpenSSL Project
It seems possible that for certain very long certificate
chains the length will exceed the maximum ssl record
length (16384). While this appears to be very unlikely
the code could be buggy. Any thoughts?
__
OpenSSL Project
17 matches
Mail list logo