In article <[EMAIL PROTECTED]> you wrote:
> Ralf S. Engelschall wrote:
>> In short, this (the s_server approach) works:
>>
>> ctx = SSL_CTX_new();
>> SSL_CTX_set_tmp_rsa_callback(ctx, ...);
>> SSL_CTX_use_certificate(ctx, ...);
>> ssl = SSL_new();
>> /* now ssl->cert contains the callbacks for the RSA temp key */
>>
>> while this (the mod_ssl approach) fails:
>>
>> ctx = SSL_CTX_new();
>> SSL_CTX_set_tmp_rsa_callback(ctx, ...);
>> ssl = SSL_new();
>> SSL_use_certificate(ctx, ...);
> Surely this is:
> SSL_use_certificate(ssl,...);
Yes, sorry: cut & paste.
> and there's the point - if you want to use the cert from the context,
> then don't set one on the session. If you set one on the session, its
> _wrong_ to copy the temp key from the context.
Why? The context's purpose is to provide _defaults_ and so
it seems reasonable to me that the temp keys are considered
as defaults and preserved.
> What you really want is the corresponding tmp_{rsa,dh} functions, i.e.:
> void SSL_set_tmp_rsa(SSL *ssl,RSA *rsa);
> and so on.
Yes, I've thought about this, too. This is a possible alternative. Actually I
think we should provide both functionalities: preserved defaults and a way to
explicitly set the stuff on a per connection basis. More opinions?
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
