The implementation of SSL_set_SSL_CTX is fairly slim right now:
--- snip ---
SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX* ctx)
{
if (ssl->ctx == ctx)
return ssl->ctx;
#ifndef OPENSSL_NO_TLSEXT
if (ctx == NULL)
ctx = ssl->initial_ctx;
#endif
if (ssl->cert != NULL)
ssl_cert_free(ssl->cert);
ssl->cert = ssl_cert_dup(ctx->cert);
CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX);
if (ssl->ctx != NULL)
SSL_CTX_free(ssl->ctx); /* decrement reference count */
ssl->ctx = ctx;
return(ssl->ctx);
}
--- snip ---
I.e., of all SSL properties, it is only adjusting the cert, but
disregards the other settings of the new SSL_CTX. I think it would make
sense to apply most (all?) of the settings from the SSL_CTX which is
being switched to, such as
- ctx->options
- ctx->verify_mode, ctx->verify_callback
- ctx->sid_ctx, ctx->sid_ctx_length
- ctx->method
etc. - basically the stuff happening in SSL_new (assignments from ctx->...)
In mod_ssl, the SNI callback is currently adjusting some of these
settings (see
https://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?r1=611216&r2=611215&pathrev=611216
for the initial version, which was slightly amended meanwhile), but as
it turns out, this is incomplete and currently misses ctx->method, among
other.
To me it would make more sense to take care of this in SSL_set_SSL_CTX
instead of putting the burden on the application. Note that in the case
of ctx->method specifically, there's no way to get at it when compiling
with OPENSSL_NO_SSL_INTERN. So if this bug gets status "rejected" for
whatever reason, then I'm asking at least for SSL_CTX_get_ssl_method()
being added :-) (allowing me to fix
https://issues.apache.org/bugzilla/show_bug.cgi?id=55707).
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
