httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dr Stephen Henson <shen...@opensslfoundation.com>
Subject Re: svn commit: r1160863 - in /httpd/httpd/trunk: docs/manual/mod/ modules/ssl/
Date Mon, 05 Sep 2011 16:52:34 GMT
On 05/09/2011 17:32, Kaspar Brand wrote:
> 
> SSL_CTX_add_extra_chain_cert() isn't an option for us, I assume, so the
> best we can probably do in ssl_init_proxy_certs()) is to load the certs
> specified via ProxyMachineCertificateChainFile with
> X509_STORE_load_locations and rely on OpenSSL's "auto chain building"
> afterwards.
> 

Potential gotcha is that you end up loading up client CAs in the trusted
certificate store which isn't always what you want. For example if that context
gets reused they'll be trusted server CA certificates later.

Also I think this:

+        chain = sk_X509_new_null();
+        for (i = 0; i < sk_X509_num(sctx->chain); i++) {
+           sk_X509_push(chain, sk_X509_value(sctx->chain, i));
+        }

along with:

+    X509_STORE_CTX_free(sctx);

will end up freeing up the certificates you just added to the chain. You can
replace that all with:

chain = X509_STORE_CTX_get1_chain(sctx);

which creates a STACK_OF(X509) and ups the reference count of the added
certificates so they stick around after you free the context.

Steve.
-- 
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shenson@opensslfoundation.com

Mime
View raw message