2017-02-08 23:39 GMT+01:00 Steffan Karger <stef...@karger.me>:
> The code change looks good, and passes my (manual) tests.  I'd like to
> keep the comment though, because this still is a hack/workaround to get
> the private key from the SSL_CTX object, it just does so a little nicer
> at the cost of a number of malloc/free calls.

Thanks for the review!

The hack was because the code was accessing the cert in a strange way,
not using the OpenSSL's functions, that's why I thought it was a good
idea to remove it.
But I'll add it back.

> It might be even worth noting that the workaround is only needed for
> OpenSSL <= 1.0.1, because later versions do have a function to get the
> private key from a struct SSL_CTX directly.  By noting that explicitly,
> we help ourselves remember to get rid of the hack as soon as we drop
> support for these OpenSSL versions.

That's right, I've just looked and like Arne said, we just have to add
a check for OpenSSL >= 1.0.2 and not LibreSSL to use the new function.
I'll update my patch later today.

LibreSSL will probably also add SSL_CTX_get0_privatekey() in a later
version, so the check will be needed to be updated.

Best Regards,

Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
Openvpn-devel mailing list

Reply via email to