httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dr Stephen Henson <>
Subject Re: SSL_CTX_get_{first,next}_certificate (Re: svn commit: r1562500 - /httpd/httpd/branches/2.4.x/STATUS)
Date Mon, 03 Feb 2014 11:21:53 GMT
On 02/02/2014 13:45, Kaspar Brand wrote:
> On 01.02.2014 14:37, Dr Stephen Henson wrote:
>> I'm wondering how that could be avoided. Would a way to enumerate all
>> certificates in an SSL_CTX structure in OpenSSL help? Something like
>> SSL_CTX_get0_first_certificate() and SSL_CTX_get0_next_certificate(). That would
>> also set the current certificate at the same time in case applications wanted to
>> inspect the private key or chain.
> Yes, this sounds like a useful extension - not only for the issue at
> hand (i.e. SSL_CONF and stapling initialisation), but as a general
> mechanism for retrieving all certificates of an SSL_CTX.

Added now. The API is slightly different, but easy enough to use.

To iterate over all certificates in an SSL_CTX something like this will do the

X509 *x;
int rv;
rv = SSL_CTX_set_current_cert(ctx, SSL_CERT_SET_FIRST);
while (rv)
	X509 *x = SSL_CTX_get0_certificate(ctx);
	rv = SSL_CTX_set_current_cert(ctx, SSL_CERT_SET_NEXT);

Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775

View raw message