DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=41123>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=41123 ------- Additional Comments From [EMAIL PROTECTED] 2007-11-27 16:52 ------- > > 2) drop the duplicate X509_STORE_CTX & X509_STORE creation. I can't see why > this is necessary; Marc, can you explain what that was for? I haven't tested it explicitly but I think the extra X509_STORE and ctx was intended to extract the issuer certificate from the client certificate in a reliable way. Note that X509_STORE_CTX_get1_issuer() will only retrieve the issuer certificate if it is trusted, hence the extra store to make all certificates trusted. To see why suppose you have this situation: Root->Intermediate->Cert Where Root only is trusted. The client would send Cert and Intermediate. The OpenSSL validation logic would then build the whole chain. A call to X509_STORE_CTX_get1_issuer() would fail because Intermediate is not in the trusted store. In actual fact it isn't necessary to create a separate store because the certificate chain has already been built and validated. All you should need to do is to extract the second member of the validated chain like this.... issuer = sk_X509_value(X509_STORE_CTX_get_chain(ctx), 1); if (issuer == NULL) /* Error */ Since issuer is an internal pointer it shouldn't be freed as it will be freed up when the ctx is cleaned up. Oh and btw you do need to free up certID. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
