Hi Williams,

> +/* binary, returns a chain certificate in a binary chunk (der/raw).
> + * The 5th keyword char is used to support only peer cert
> + */
> +static int
> +smp_fetch_ssl_x_chain_der(const struct arg *args, struct sample *smp, const 
> char *kw, void *private)
> +{
> +     struct buffer *smp_trash;
> +     struct buffer *tmp_trash = NULL;
> +     struct connection *conn;
> +     STACK_OF(X509) *certs = NULL;
> +     X509 *crt = NULL;
> +     SSL *ssl;
> +     int ret = 0;
> +     int num_certs;
> +     int i;
> +
> +     // only peer cert chain is supported
> +     if (kw[4] != 'c')
> +             return 0;
> +
> +     conn = objt_conn(smp->sess->origin);
> +     if (!conn)
> +             return 0;
> +
> +     ssl = ssl_sock_get_ssl_object(conn);
> +     if (!ssl)
> +             return 0;
> +

I think this code could be useful to declare also a "ssl_s_chain_der" using 
minor changes as this is done on ssl_c_serial:

int conn_server = (kw[4] == 's') ? 1 : 0;
...

if (conn_server)
    conn = cs_conn(objt_cs(smp->strm->si[1].end));
else
    conn = objt_conn(smp->sess->origin);


Emeric

Reply via email to