On 4. 1. 26 18:52, Daniel Sahlberg wrote:
Den fre 2 jan. 2026 kl 20:26 skrev<[email protected]>:Author: brane Date: Fri Jan 2 19:26:19 2026 New Revision: 1931058 Log: Split the client certificate callback implementation into two functions, one that uses OSSL_STORE and the ancient/original that reads PKCS#12 files. * buckets/ssl_buckets.c (ssl_read_client_cert_uri): New, conditionally present. Reads certificates and private keys from a keystore, which can be a PKCS#12 file or an OS-specific certificat stor URI. The implementation was moved from ssl_need_client_cert() with minor changes. (ssl_need_client_cert): Delegate to ssl_read_client_cert_uri() first, then continue with the file-based attempt if no certificates were found. Modified: serf/trunk/buckets/ssl_buckets.c Modified: serf/trunk/buckets/ssl_buckets.c ============================================================================== --- serf/trunk/buckets/ssl_buckets.c Fri Jan 2 14:10:38 2026 (r1931057) +++ serf/trunk/buckets/ssl_buckets.c Fri Jan 2 19:26:19 2026 (r1931058)...@@ -1857,9 +1833,44 @@ static int ssl_need_client_cert(SSL *ssl ctx->cert_pw_cache_pool); } + result = 1; + } + + cleanup: + sk_X509_pop_free(leaves, X509_free); + sk_X509_pop_free(intermediates, X509_free); + sk_EVP_PKEY_pop_free(keys, EVP_PKEY_free); + X509_STORE_free(requests); + UI_destroy_method(ui_method); + + return result; +} + +#endif + +static int ssl_need_client_cert(SSL *ssl, X509 **cert, EVP_PKEY **pkey) +{ + serf_ssl_context_t *ctx = SSL_get_app_data(ssl); +#if defined(SERF_HAVE_OSSL_STORE_OPEN_EX) +#endifAm I missing something here or is this a no-op?
This bit of code exploits a very rarely used, obscure feature of C whose purpose is to make me look very wise instead of completely silly. *facepalm*
Will fix... -- Brane
