s3_srvr inconsistently uses s->ctx->default_cert->rsa_tmp_cb for
temporary RSA keys, but s->session->cert->dh_tmp_cb for ephemeral DH
keys. So the comment in the definition of struct cert_st (aka CERT)
in ssl_locl.h is wrong:
/* FIXME: Although rsa_tmp and dh_tmp are properties of the cert,
callbacks probably aren't, and besides only the context default
cert's callbacks are actually used. Too close to a release to fix
this now - Ben 6 Mar 1999 */
RSA *(*rsa_tmp_cb)(SSL *ssl,int export,int keysize);
DH *(*dh_tmp_cb)(SSL *ssl,int export,int keysize);
If rsa_tmp_cb is set for a specifix SSL object, then currently this
callback is simply ignored, even though the API now has functions to
set this very callback (SSL_set_tmp_rsa_callback). Probably the
SSL-object specific callbacks should always be used (just as with
explicitly set non-callback parameters), because s->session->cert is
initially the same as s->ctx->default_cert[1] until a change is
explicitly requested.[2] The versions from s->ctx->default_cert can
be used as fallbacks when no specific callback functions have been
defined.
[1] s->cert is set to s->session->cert by SSL_new, and
s->session->cert is set to s->cert during the handshake if a new
session is started.
[2] More exactly, the first change to the SSL-object specific
"cert" parameters causes a fresh s->cert to be created, which
does not copy the values of s->ctx->default_cert; this happens in
the call to ssl_cert_instantiate from within ssl_rsa.c
(SSL_use_certificate, SSL_use_RSAPrivateKey, SSL_use_PrivateKey)
or from within s3_lib.c (ssl3_ctrl, which is used to implement
SSL_set_tmp_rsa_callback and so on).
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
