On Tue, 2009-06-02 at 13:40 +0200, Stephen Henson via RT wrote: > > [[email protected] - Sun May 31 22:08:11 2009]: > > > > It's possible for multiple certificates to have the same subject name, > > and if that happens then ssl3_output_cert_chain() may select the wrong > > one because it just picks a certificate by name and doesn't actually > > _check_ if it really is the right one. > > > > There's a function which gets this right; X509_STORE_CTX_get1_issuer(). > > We should use it. dtls1_output_cert_chain() has the same problem. > > > > We fix the check for self-signed certificates too, while we're at it. > > Although that's much less likely to be a problem in practice. > > > > Patch applies to 0.9.8 and HEAD. > > > > I agree the existing logic is badly broken, it's one of those things > that has been almost untouched since SSLeay days. > > If however we are going to revise this I'd say we should use > X509_verify_cert to build the chain instead of more ad-hoc stuff.
I did as you asked... was it not to your liking? -- dwmw2 ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
