On Fri, Mar 18, 2005 at 12:21:08PM -0500, Victor Duchovni wrote:
> On Fri, Mar 18, 2005 at 06:02:06PM +0100, Lutz Jaenicke wrote:
>
> > > I could void the warranty by:
> > >
> > > #ifdef DONT_TRY_THIS_AT_HOME
> > > X509_free(session->peer);
> > > session->peer = 0;
> > > #endif
> > > buflen = i2d_SSL_SESSION(session, 0);
> > > ...
> > >
> > > but I don't believe that I am supposed to bypass the accessor methods
> > > and mess with the SSL_SESSION structure directly...
> >
> > But you have found the only way to handle the problem. There is no
> > official API to achieve the same effect :-)
> >
>
> If I take the shortcut, will I get into trouble with future releases?
In practice it is most likely that you won't run into trouble. It however
is not guaranteed...
> Is any sort of binary compatibility for shared libraries from version
> A.B.C to X.Y.Z with suitable constraints on (A,B) and (X,Y) contemplated
> for OpenSSL?
We try our best to keep the binary compatibility for 0.9.7 releases, such
that patchlevels a-e should work fine. There will be no binary compatibility
with 0.9.8.
> A few macros already depend on structure offsets, but only for the
> SSL context, not SSL or SSL_SESSION:
>
> #define SSL_CTX_sess_set_new_cb(ctx,cb) ((ctx)->new_session_cb=(cb))
> #define SSL_CTX_sess_get_new_cb(ctx) ((ctx)->new_session_cb)
> #define SSL_CTX_sess_set_remove_cb(ctx,cb)
> ((ctx)->remove_session_cb=(cb))
> #define SSL_CTX_sess_get_remove_cb(ctx) ((ctx)->remove_session_cb)
> #define SSL_CTX_sess_set_get_cb(ctx,cb) ((ctx)->get_session_cb=(cb))
> #define SSL_CTX_sess_get_get_cb(ctx) ((ctx)->get_session_cb)
> #define SSL_CTX_set_info_callback(ctx,cb) ((ctx)->info_callback=(cb))
> #define SSL_CTX_get_info_callback(ctx) ((ctx)->info_callback)
> #define SSL_CTX_set_client_cert_cb(ctx,cb) ((ctx)->client_cert_cb=(cb))
> #define SSL_CTX_get_client_cert_cb(ctx) ((ctx)->client_cert_cb)
>
> So would it be wise or foolish to use session->peer in (say for example
> :-) the Postfix source code?
I would say it should be ok as long as it is armored with a corresponding
version check:
#if (OPENSSL_VERSION_NUMBER <= 0x0090581fL)
and corresponding (note that the version listed in this example is pretty old:
0.9.5a, you will have to set your own dependencies).
Note: this answer is biased wrt the Postfix side of view. As a member of
the OpenSSL team I recommend to not use such a hack but simply leave the
certificate handling as is :-)
Note: I did not see any other request for such a change of behaviour,
so I do not think that an option to either save the peer certificate
(or not) within the session will be implemented in a later OpenSSL release.
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
