On Wed, Aug 05, 2020 at 11:42:15AM +0200, William Dauchy wrote:
> Hi,
> 
> Here is a patch to add a new fetcher for cert chain.
> It follows discussion after thread
> https://www.mail-archive.com/[email protected]/msg35607.html
> 
> It currently does not support session reuse, but I was looking for
> inputs about it, whether I could make use of `reused_sess` objects in
> haproxy, and in which way. Indeed, as pointed by Emeric in
> https://www.mail-archive.com/[email protected]/msg37380.html
> `SSL_get_peer_cert_chain` returns NULL in case of resumed session.
> 

I don't know if this is possible to fix it, but I think must of the SSL fetches 
have
the problem.

Your patches look good, my only concern is the alloc_trash_chunk()
return value which is not tested, otherwise I'm okay to merge them!

> +     smp_trash = get_trash_chunk();
> +     tmp_trash = alloc_trash_chunk();
> +     for (i = 0; i < num_certs; i++) {
> +             crt = sk_X509_value(certs, i);
> +             if (ssl_sock_crt2der(crt, tmp_trash) <= 0)
> +                     goto out;
> +             chunk_cat(smp_trash, tmp_trash);
> +     }


-- 
William Lallemand

Reply via email to