On Mon, Feb 3, 2014 at 6:21 AM, Dr Stephen Henson <
shen...@opensslfoundation.com> wrote:
> On 02/02/2014 13:45, Kaspar Brand wrote:
> > On 01.02.2014 14:37, Dr Stephen Henson wrote:
> >> I'm wondering how that could be avoided. Would a way to enumerate all
> >> certificates in an SSL_CTX structure in OpenSSL help? Something like
> >> SSL_CTX_get0_first_certificate() and SSL_CTX_get0_next_certificate().
> That would
> >> also set the current certificate at the same time in case applications
> wanted to
> >> inspect the private key or chain.
> >
> > Yes, this sounds like a useful extension - not only for the issue at
> > hand (i.e. SSL_CONF and stapling initialisation), but as a general
> > mechanism for retrieving all certificates of an SSL_CTX.
> >
>
> Added now. The API is slightly different, but easy enough to use.
>
> To iterate over all certificates in an SSL_CTX something like this will do
> the
> trick:
>
> X509 *x;
> int rv;
> rv = SSL_CTX_set_current_cert(ctx, SSL_CERT_SET_FIRST);
> while (rv)
> {
> X509 *x = SSL_CTX_get0_certificate(ctx);
> rv = SSL_CTX_set_current_cert(ctx, SSL_CERT_SET_NEXT);
> }
>
> Steve.
>
Is the leaf certificate always first? (And/or maybe it is up to how the
admin configures it and it only works if the leaf is first?)
The APIs work this way with the OpenSSL 1.0.2 branch now?
TIA!
> --
> Dr Stephen Henson. OpenSSL Software Foundation, Inc.
> 1829 Mount Ephraim Road
> Adamstown, MD 21710
> +1 877-673-6775
> shen...@opensslfoundation.com
>
--
Born in Roswell... married an alien...
http://emptyhammock.com/
