On Fri, Jun 26, 2009, David Woodhouse wrote: > On Tue, 2009-06-02 at 13:40 +0200, Stephen Henson via RT wrote: > > > [[email protected] - Sun May 31 22:08:11 2009]: > > > > > > It's possible for multiple certificates to have the same subject name, > > > and if that happens then ssl3_output_cert_chain() may select the wrong > > > one because it just picks a certificate by name and doesn't actually > > > _check_ if it really is the right one. > > > > > > There's a function which gets this right; X509_STORE_CTX_get1_issuer(). > > > We should use it. dtls1_output_cert_chain() has the same problem. > > > > > > We fix the check for self-signed certificates too, while we're at it. > > > Although that's much less likely to be a problem in practice. > > > > > > Patch applies to 0.9.8 and HEAD. > > > > > > > I agree the existing logic is badly broken, it's one of those things > > that has been almost untouched since SSLeay days. > > > > If however we are going to revise this I'd say we should use > > X509_verify_cert to build the chain instead of more ad-hoc stuff. > > I did as you asked... was it not to your liking? >
Sorry for delay in replying doing a shed load of other stuff at present. The patch looks OK but will make a few minor changes to it, set the cert in X509_STORE_CTX_init() instead of the structure accedd. Also doing fprintf() of the verify code is a definite no-no. Also please include patches as plain text attachments as mailers can line wrap and corrupt them if they are inline. I did get a bit sidetracked looking at that code too. The DTLS and SSL/TLS versions of *_output_cert_chain() are almost identical and some code duplication could be avoided by combining the two. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
