These 2 #defines exist for SSL_CTX->extra_certs:

In 1.0.2-dev, the #defines such as SSL_CTX_add0_chain_cert allow me to specify different chains for different certificate types, but AFAICT there are no associated get() or clear() functions.

I can't see a way to squeeze a standalone SSL_CTX_get_chain_certs function into SSL_CTX_ctrl(). There's only 1 pointer argument available, so I can't pass in an X509* (to indicate which cert I want the chain for) and get back a STACK_OF(X509)* (the chain).

One option would be to have another SSL_CTX_ctrl #define called SSL_CTX_get_cert_type, which would accept an X509* and return the index of that cert (i.e. SSL_CTX->CERT->pkeys[index]->x509), or -1 if not found. That index could then be passed to SSL_CTX_get_chain_certs in the larg argument. However, since the SSL_PKEY_* #defines are private (in ssl_locl.h), I'm unsure whether exposing these values in the public APIs would be acceptable.

The other option would be to write SSL_CTX_get_chain_certs() as a proper function (instead of a SSL_CTX_ctrl #define), but I'm unsure whether or not that would be better than the first option.

Any preference?


Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
OpenSSL Project                       
Development Mailing List             
Automated List Manager                 

Reply via email to