Arne Ansper <[EMAIL PROTECTED]>:
>> Like I say, they should only do this if there was an error reported, surely?
> No. Take a look at the SSL_CTX_use_certificate_chain_file:
>
> ret=SSL_CTX_use_certificate(ctx,x);
> if (ERR_peek_error() != 0)
> ret = 0; /* Key/certificate mismatch doesn't imply ret==0 ... */
Actually I think this is a bug in SSL_CTX_use_certificate() -- if it
intentionally ignores an error returned by X509_check_private_key(),
it should call ERR_clear_error().
The reason why I did not fix this when I looked at this some time ago
is some rather weird code in ssl_set_cert(), the function used by
SSL_CTX_use_certificate() from which X509_check_private_key() is
called. (If you look at ssl_set_cert(), you'll see that it switches
from SSL_PKEY_DH_RSA to SSKL_PKEY_DH_DSA and the other way around,
which does not appear to make much sense.) Investigating this has
been on my "to do" list for a while. Once this has been resolved,
the lines
if (ERR_peek_error() != 0)
ret = 0; /* Key/certificate mismatch doesn't imply ret==0 ... */
can be removed from SSL_CTX_use_certificate_chain_file().
--
Bodo Möller <[EMAIL PROTECTED]>
PGP http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller/0x36d2c658.html
* TU Darmstadt, Theoretische Informatik, Alexanderstr. 10, D-64283 Darmstadt
* Tel. +49-6151-16-6628, Fax +49-6151-16-6036
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
