> [rob.stradl...@comodo.com - Fri Sep 21 15:55:39 2012]: > > Hi Steve. > > I saw your update (to 1.0.2 and HEAD), and I did start looking at > backporting it into my 1.0.1/1.0.0/0.9.8 patches. > > ssl_get_server_send_pkey() is not available in 1.0.1 and earlier, so the > t1_lib.c patch would have to be something like... > > + X509 *x; > + x = ssl_get_server_send_cert)s); > + /* If no certificate can't return certificate status */ > + if (x == NULL) > + { > + s->tlsext_status_expected = 0; > + return 1; > + } > + /* Set current certificate to one we will use so > + * SSL_get_certificate et al can pick it up. > + */ > + s->cert->key->x509 = x; > > Is it OK to update s->cert->key->x509 like this? >
No because you could end up with all sorts of bad things happening (keys and certificates not matching, certificate types not matching and memory leaks). Easiest solution is to also backport ssl_get_server_send_pkey see: http://cvs.openssl.org/chngview?cn=22840 Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org