Hi Steve, I am also facing the same issue. If I want to to fix this bug, should the code for SSL_get_certificate() be restored to previous state? Is there any other place to be fixed?
Thanks, -Vimol On Mon, Feb 11, 2013 at 10:21 PM, Dr. Stephen Henson <st...@openssl.org>wrote: > On Mon, Feb 11, 2013, Bogdan Harjoc wrote: > > > I updated to openssl 1.0.1k from 1.0.0d and I get a NULL pointer > > dereference when I call SSL_get_certificate on a valid SSL object. > > > > Backtrace: > > > > ssl_set_cert_masks:1845 > > ssl_get_server_send_pkey:2117 > > ssl_get_server_send_cert:2175 > > SSL_get_certificate:2605 > > > > ssl_get_server_send_pkey calls ssl_set_cert_masks(c, > s->s3->tmp.new_cipher) > > and s->s3->tmp.new_cipher is NULL. > > > > SSL_get_certificate has changed from: > > > > if (s->cert != NULL) > > return(s->cert->key->x509); > > else > > return(NULL); > > > > to: > > > > if (s->server) > > return(ssl_get_server_send_cert(s)); > > else if (s->cert != NULL) > > return(s->cert->key->x509); > > else > > return(NULL); > > > > Apologies if I'm missing something obvious. I can come up with some > simple > > code that reproduces this if needed. > > > > Ugh that's a bug. The behaviour of SSL_get_certificate was changed so it > returned the certificate used (instead of the last one set) for OCSP > stapling. > > A bug in the original was fixed in the master branch but didn't get > included > in other branches. > > It should work OK as long as you only call SSL_get_certificate after the > connection is established. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org >
