Bodo Moeller wrote:
>
> s3_srvr inconsistently uses s->ctx->default_cert->rsa_tmp_cb for
> temporary RSA keys, but s->session->cert->dh_tmp_cb for ephemeral DH
> keys. So the comment in the definition of struct cert_st (aka CERT)
> in ssl_locl.h is wrong:
>
> /* FIXME: Although rsa_tmp and dh_tmp are properties of the cert,
> callbacks probably aren't, and besides only the context default
> cert's callbacks are actually used. Too close to a release to fix
> this now - Ben 6 Mar 1999 */
> RSA *(*rsa_tmp_cb)(SSL *ssl,int export,int keysize);
> DH *(*dh_tmp_cb)(SSL *ssl,int export,int keysize);
>
> If rsa_tmp_cb is set for a specifix SSL object, then currently this
> callback is simply ignored, even though the API now has functions to
> set this very callback (SSL_set_tmp_rsa_callback). Probably the
> SSL-object specific callbacks should always be used (just as with
> explicitly set non-callback parameters), because s->session->cert is
> initially the same as s->ctx->default_cert[1] until a change is
> explicitly requested.[2] The versions from s->ctx->default_cert can
> be used as fallbacks when no specific callback functions have been
> defined.
I'm still not convinced that the callbacks should be on the cert, but
OTOH that does give maximum flexibility, so I'm not going to argue very
hard.
Certainly the cert callbacks should be used (if set) if we are going to
keep them.
> [1] s->cert is set to s->session->cert by SSL_new, and
^^^^^^^ ctx, surely?
> s->session->cert is set to s->cert during the handshake if a new
> session is started.
>
> [2] More exactly, the first change to the SSL-object specific
> "cert" parameters causes a fresh s->cert to be created, which
> does not copy the values of s->ctx->default_cert; this happens in
> the call to ssl_cert_instantiate from within ssl_rsa.c
> (SSL_use_certificate, SSL_use_RSAPrivateKey, SSL_use_PrivateKey)
> or from within s3_lib.c (ssl3_ctrl, which is used to implement
> SSL_set_tmp_rsa_callback and so on).
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He told me to try to be in the
first group; there was less competition there."
- Indira Gandhi
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
