On 19/02/2014 20:17, Jeff Trawick wrote: > On Wed, Feb 19, 2014 at 2:23 PM, Dr Stephen Henson > <shen...@opensslfoundation.com <mailto:shen...@opensslfoundation.com>> wrote: > > On 19/02/2014 18:37, Jeff Trawick wrote: > > > > > > I think this is the trick... > > > > + rc = SSL_CTX_set_current_cert(ctx, SSL_CERT_SET_FIRST); > > + while (rc) { > > + x = SSL_CTX_get0_certificate(ctx); > > + if (x) { > > + chain = NULL; > > + SSL_CTX_get0_chain_certs(ctx, &chain); > > + if (chain) { > > + for (i = 0; i < sk_X509_num(chain); i++) { > > + X509 *x = sk_X509_value(chain, i); > > + /* do something */ > > + } > > + } > > + } > > + rc = SSL_CTX_set_current_cert(ctx, SSL_CERT_SET_NEXT); > > + } > > > > I'm working on Certificate Transparency support for httpd; as part of > submitting > > server certs with any necessary intermediate certs to CT logs I wanted > to > > extract them straight from the SSL_CTX so that it didn't matter how > exactly they > > got there/were configured. > > > > Unfortunately that wont work in all cases. There are several distinct > ways CA > certificates can be configured. > > In OpenSSL versions before 1.0.2 two ways existed. These had origins way > back to > the SSLeay days. > > One was a set of extra certificates which are shared amongst all the > server > certificate types in an SSL_CTX. This is far from ideal because you could > have > (for example) an RSA and a ECDSA certificate with different chains which > you > couldn't configure using this method. It could also end up using the > wrong chain > if the server is misconfigured. It also makes it impossible to have > different > chains with different SSL structures sharing the same parent SSL_CTX. > On the plus side the set of certificates is configured only once and can > be > retrieved by an application. I notice httpd can use this method. > > The second method is used in the absence of any extra certificates. An > attempt > is made to build a complete chain using the normal certificate > verification > routine and trust store. This is done on the fly on each incoming > connection > which is inefficient. It also uses the same certificate store used for > client > certificate verification (which might not be ideal). It does however have > the > advantage that it can handle different chains for different certificate > types. > I *think* httpd can use this method too as it's done pretty much > automatically. > > In OpenSSL 1.0.2 this has been extended. > > One method is the one which you used above. This supports distinct chains > per > certificate type and per-SSL structure. > > However for that to work it needs application support either explicitly > by using > SSL_CTX_add0_chain_cert or via the use of > SSL_CTX_use_cetificate_chain_file > which uses this transparently in OpenSSL 1.0.2. I just checked and httpd > currently doesn't use either of these but an enhancement to tidy up > certificate > handling by Kaspar Brand does use SSL_CTX_use_certificate_chain_file. > > > I need to make sure I understood this... > > Let's say I have OpenSSL 1.0.2 and httpd trunk. httpd trunk has the (or > "some") code to call SSL_CTX_use_certificate_chain_file. The code I posted > above will do the right thing, correct? >
It also has some code that can call SSL_CTX_add_extra_chain_cert for which the above wont work. > If I have OpenSSL 1.0.2 but httpd 2.4.x, there's no code to > call SSL_CTX_use_certificate_chain_file, so the code I posted won't work. > Correct. > > That means getting a method that works in all cases is problematical. > > You can use SSL_CTX_get_extra_chain_certs which retrieves the chain for > the > current certificate or (if it is empty) the per-ctx chain. > > > And this works with httpd 2.4.x, which doesn't have the call to > SSL_CTX_use_certificate_chain_file? > It also works with trunk where is call SSL_CTX_add_extra_chain_cert. So IMHO that's the best strategy. Not that you can get duplicate certificates using any of the techniques as the same CA might issue more than one server certificate. Steve. -- Dr Stephen Henson. OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 +1 877-673-6775 shen...@opensslfoundation.com