> [rob.stradl...@comodo.com - Fri Sep 21 15:55:39 2012]:
>
> Hi Steve.
>
> I saw your update (to 1.0.2 and HEAD), and I did start looking at
> backporting it into my 1.0.1/1.0.0/0.9.8 patches.
>
> ssl_get_server_send_pkey() is not available in 1.0.1 and earlier, so the
> t1_lib.c patch would have to be something like...
>
> + X509 *x;
> + x = ssl_get_server_send_cert)s);
> + /* If no certificate can't return certificate status */
> + if (x == NULL)
> + {
> + s->tlsext_status_expected = 0;
> + return 1;
> + }
> + /* Set current certificate to one we will use so
> + * SSL_get_certificate et al can pick it up.
> + */
> + s->cert->key->x509 = x;
>
> Is it OK to update s->cert->key->x509 like this?
>
No because you could end up with all sorts of bad things happening (keys
and certificates not matching, certificate types not matching and memory
leaks). Easiest solution is to also backport ssl_get_server_send_pkey see:
http://cvs.openssl.org/chngview?cn=22840
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
