On 18/02/2014 20:06, Jeff Trawick wrote: > On Mon, Feb 3, 2014 at 6:21 AM, Dr Stephen Henson > <shen...@opensslfoundation.com > <mailto:shen...@opensslfoundation.com>> wrote: > > On 02/02/2014 13:45, Kaspar Brand wrote: > > On 01.02.2014 14:37, Dr Stephen Henson wrote: > >> I'm wondering how that could be avoided. Would a way to enumerate all > >> certificates in an SSL_CTX structure in OpenSSL help? Something like > >> SSL_CTX_get0_first_certificate() and SSL_CTX_get0_next_certificate(). > That would > >> also set the current certificate at the same time in case applications > wanted to > >> inspect the private key or chain. > > > > Yes, this sounds like a useful extension - not only for the issue at > > hand (i.e. SSL_CONF and stapling initialisation), but as a general > > mechanism for retrieving all certificates of an SSL_CTX. > > > > Added now. The API is slightly different, but easy enough to use. > > To iterate over all certificates in an SSL_CTX something like this will > do the > trick: > > X509 *x; > int rv; > rv = SSL_CTX_set_current_cert(ctx, SSL_CERT_SET_FIRST); > while (rv) > { > X509 *x = SSL_CTX_get0_certificate(ctx); > rv = SSL_CTX_set_current_cert(ctx, SSL_CERT_SET_NEXT); > } > > Steve. > > > Is the leaf certificate always first? (And/or maybe it is up to how the admin > configures it and it only works if the leaf is first?) > > The APIs work this way with the OpenSSL 1.0.2 branch now? > > TIA! >
An SSL_CTX can have multiple server certificates associated with it and the one used depends on the ciphersuite negotiated by the client. The certificate you get from SSL_CTX_get0_certificate is the server certificate which will always be a leaf certificate. You need different APIs to get the rest of the chain (assuming one has been configured). Steve. -- Dr Stephen Henson. OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 +1 877-673-6775 shen...@opensslfoundation.com