On 16/06/12 23:31, Dr. Stephen Henson wrote:
<snip>
Is there a way to patch httpd so that it can work around the
limitations in the OpenSSL API and always send the correct OCSP
Response?
Possible changes to OpenSSL:
Should the Stapling Callback function be called later in the
handshake (perhaps in ssl_add_serverhello_tlsext()), after the
cipher has been selected?
Should ssl_get_server_send_cert() be made available for applications
to call? Or should SSL_get_certificate() be updated so that it
always returns the cert that the server will actually send?
I can't immediately think of a clean solution to this problem. I think it
makes sense for OpenSSL to return the server certificate actually used via
SSL_get_certificate().
Agreed. This would avoid the need to implement a fix/workaround in the
httpd code, and would presumably also mean that the OpenSSL 1.0.x branch
can be fixed without breaking binary compatibility.
See if adding:
c->key = c->pkeys + i;
to ssl_get_server_send_cert fixes this.
Which it wont because the status callback is called too soon as you noted.
Would moving the status callback to a sufficiently later point in the
handshake work?
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
