On 02/02/2014 13:45, Kaspar Brand wrote:
> On 01.02.2014 14:37, Dr Stephen Henson wrote:
>> I'm wondering how that could be avoided. Would a way to enumerate all
>> certificates in an SSL_CTX structure in OpenSSL help? Something like
>> SSL_CTX_get0_first_certificate() and SSL_CTX_get0_next_certificate(). That
>> would
>> also set the current certificate at the same time in case applications
>> wanted to
>> inspect the private key or chain.
>
> Yes, this sounds like a useful extension - not only for the issue at
> hand (i.e. SSL_CONF and stapling initialisation), but as a general
> mechanism for retrieving all certificates of an SSL_CTX.
>
Added now. The API is slightly different, but easy enough to use.
To iterate over all certificates in an SSL_CTX something like this will do the
trick:
X509 *x;
int rv;
rv = SSL_CTX_set_current_cert(ctx, SSL_CERT_SET_FIRST);
while (rv)
{
X509 *x = SSL_CTX_get0_certificate(ctx);
rv = SSL_CTX_set_current_cert(ctx, SSL_CERT_SET_NEXT);
}
Steve.
--
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
[email protected]
