> [[email protected] - Sun May 31 22:08:11 2009]: > > It's possible for multiple certificates to have the same subject name, > and if that happens then ssl3_output_cert_chain() may select the wrong > one because it just picks a certificate by name and doesn't actually > _check_ if it really is the right one. > > There's a function which gets this right; X509_STORE_CTX_get1_issuer(). > We should use it. dtls1_output_cert_chain() has the same problem. > > We fix the check for self-signed certificates too, while we're at it. > Although that's much less likely to be a problem in practice. > > Patch applies to 0.9.8 and HEAD. >
I agree the existing logic is badly broken, it's one of those things that has been almost untouched since SSLeay days. If however we are going to revise this I'd say we should use X509_verify_cert to build the chain instead of more ad-hoc stuff. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
