Is there an officially condoned mechanism to avoid caching the peer
certificate of unverified clients? I want to cache the session keys,
but if the peer certificate is not verified, there is not much point in
burning storage saving it in the session cache. Is it perhaps possible to
drop the cert early in the verification callback (when the verification
failure is detected)?
I could void the warranty by:
#ifdef DONT_TRY_THIS_AT_HOME
X509_free(session->peer);
session->peer = 0;
#endif
buflen = i2d_SSL_SESSION(session, 0);
...
but I don't believe that I am supposed to bypass the accessor methods
and mess with the SSL_SESSION structure directly...
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
