On 21/09/12 15:04, Stephen Henson via RT wrote:
[rob.stradl...@comodo.com - Fri Sep 21 15:55:39 2012]:

Hi Steve.

I saw your update (to 1.0.2 and HEAD), and I did start looking at
backporting it into my 1.0.1/1.0.0/0.9.8 patches.

ssl_get_server_send_pkey() is not available in 1.0.1 and earlier, so the
t1_lib.c patch would have to be something like...

+               X509 *x;
+               x = ssl_get_server_send_cert)s);
+               /* If no certificate can't return certificate status */
+               if (x == NULL)
+                       {
+                       s->tlsext_status_expected = 0;
+                       return 1;
+                       }
+               /* Set current certificate to one we will use so
+                * SSL_get_certificate et al can pick it up.
+                */
+               s->cert->key->x509 = x;

Is it OK to update s->cert->key->x509 like this?

No because you could end up with all sorts of bad things happening (keys
and certificates not matching, certificate types not matching and memory

That's what I thought.

Easiest solution is to also backport ssl_get_server_send_pkey see:


I didn't think of that.  Thanks!

I'll prepare patches to backport 22840 to 1.0.0 and 0.9.8 (unless you or Ben get there first).

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to