Peter Sylvester
Tue, 28 Jul 2009 23:58:38 -0700
I looked at the patch in question and it seems reasonable to me. That should work fine on much older versions of OpenSSL it's just that now some things are enforced that weren't before.
A little nit in ssl_engine_init.c: instead of - SSL_CTX_set_client_CA_list(ctx, (STACK *)ca_list); + SSL_CTX_set_client_CA_list(ctx, (STACK_OF(X509_NAME) *)ca_list);I think I'd prefer
+ SSL_CTX_set_client_CA_list(ctx, ca_list); and a few lines later instead of ca_list = (STACK_OF(X509_NAME) *)SSL_CTX_get_client_CA_list(ctx);it should be
ca_list = SSL_CTX_get_client_CA_list(ctx);
There is some non-portable code round there that accesses extensions in a most convoluted fashion for some unknown reason.
the stuff in ..vars.c ssl_ext_list?
Steve.
/p