Le 28/07/2017 à 16:35, Emmanuel Hocdet a écrit :
okay compat…
SSL_free should not be call until pkey is dup. for SSL_get_privatekey:
"These functions retrieve certificate and key data from an SSL object.
They return internal pointers that must not be freed by the application
program. »
Good catch
perhaps add the declaration in openssl-compat.h:
EVP_PKEY *SSL_CTX_get0_privatekey(const SSL_CTX *ctx)
{
if (ctx->cert != NULL)
return ctx->cert->key->privatekey;
else
return NULL;
}
Good idea, I'll do that
initial_ctx is still needed, remove it could be painful.
The case is ssl params per certificate. take on bind line with only
crt-list.
crtlist:
a.pem [ alpn h2,http/1.1]
b.pem
default_ctx is set with the first parsed certificate (and is configuration)
b.pem will inherited from « alpn » configuration from a.pem
to fix that:
1) clean all ssl configuration inherited from default_ctx (does not work
in all cases, much time spent testing with openssl versionS)
2) change the definition of default_ctx: first parsed certificate
without is configuration (only the bind configuration)
I don’t want do that, this is an unexpected behavior
3) force usage of one crt in bind line to set the default cert (and
before crt-list)
It break old configurations. (and i don’t want a default cert)
other? i try, fail and fix with introduce initial_ctx to normalise the
behavior in a clean manner.
Ok, Thanks for you explanations. I'll keep initial_ctx so. I'll quickly
proposed a patch to fix certificates generation.
--
Christopher Faulet
