Emeric, > >Code initially use 'ctx->default_passwd_callback_userdata' to allow us to >manage a further way to manage passphrase via configuration.
As far as I could tell, this field was not getting set anywhere in the code. It¹s set with SSL_CTX_set_default_passwd_cb, which I did not find in the codebase. I had then assumed that this was just a harmless copy/paste of example code, which generally always use this CB. > >I notice also you continue to load DH parameters for each files. It was >not a big deal by the past because for each file correspond a uniq >certificate. > >With your patch, i don't know what will be the behavior. In the way it is >loaded on SSL_CTX, the DH parameter doesn't seem specific to the used >DSA/RSA/ECDSA certificate. So which one will be used, first or latest >loaded? > >Some users will expect to use the DH parameter defined in the same file >than the used certificate, but i'm really not sure it will be the case. Unsure about this. I can change it to only load the first time the context is created. > >Finally, i don't understand what will be the behavior about the >certificate chain with openssl < 1.0.2. I see you manage to load the >chain differently depending the version of openssl but i ignore if the >behavior will differ. In 1.0.2, we can make use of API to load multiple certificate chains into a CTX. Prior to 1.0.2, you could not load the chains. So the checks ensure that we make use of the new APIs, and can then serve the correct certificate to users based on the user¹s cipher suite. -Dave
