Hi Williams,
> +/* binary, returns a chain certificate in a binary chunk (der/raw).
> + * The 5th keyword char is used to support only peer cert
> + */
> +static int
> +smp_fetch_ssl_x_chain_der(const struct arg *args, struct sample *smp, const
> char *kw, void *private)
> +{
> + struct buffer *smp_trash;
> + struct buffer *tmp_trash = NULL;
> + struct connection *conn;
> + STACK_OF(X509) *certs = NULL;
> + X509 *crt = NULL;
> + SSL *ssl;
> + int ret = 0;
> + int num_certs;
> + int i;
> +
> + // only peer cert chain is supported
> + if (kw[4] != 'c')
> + return 0;
> +
> + conn = objt_conn(smp->sess->origin);
> + if (!conn)
> + return 0;
> +
> + ssl = ssl_sock_get_ssl_object(conn);
> + if (!ssl)
> + return 0;
> +
I think this code could be useful to declare also a "ssl_s_chain_der" using
minor changes as this is done on ssl_c_serial:
int conn_server = (kw[4] == 's') ? 1 : 0;
...
if (conn_server)
conn = cs_conn(objt_cs(smp->strm->si[1].end));
else
conn = objt_conn(smp->sess->origin);
Emeric