[openssl-users] SSL_CTX ignores many X509_STORE fields and uses own fields

Daurnimator quae at daurnimator.com
Fri Aug 17 13:25:01 UTC 2018


On 12 July 2018 at 18:49, Daurnimator <quae at daurnimator.com> wrote:
> When looking into https://github.com/wahern/luaossl/issues/140 I was
> surprised to learn that an SSL_CTX* (and SSL*) does not use many of
> the X509_STORE members.
>
> e.g. a store has a X509_VERIFY_PARAMS field, however although an
> SSL_CTX* has a related store, it ignores the store's params and uses
> it's own.
>
> For a connection pooling implementation, I need to check that an
> existing SSL connection is something that could be approved by a given
> SSL_CTX*.
> I was hoping this would be as simple as doing (error handling omitted
> for brevity):
>
>     X509_STORE_CTX_init(vfy_ctx, SSL_CTX_get0_store(ctx),
> SSL_get_certificate(ssl), NULL);
>     X509_verify_cert(vfy_ctx);
>
> However it appears that I really need to do:
>
>     X509_STORE_CTX_init(vfy_ctx, SSL_CTX_get0_store(ctx),
> SSL_get_certificate(ssl), NULL);
>     X509_VERIFY_PARAM_inherit(X509_STORE_CTX_get0_param(vfy_ctx),
> SSL_CTX_get0_param(ctx));
>     // X509_STORE_CTX_set_verify_cb based on SSL_CTX_get_verify_callback(ctx)
>     // X509_STORE_CTX_set0_dane
>     // etc. etc.
>     X509_verify_cert(vfy_ctx);
>
> Is this complexity warranted?
> Is there any plan to remove the redundant fields?
>
> Daurn.

Has anyone had time to look into this?
I filed the related https://github.com/openssl/openssl/issues/6709


More information about the openssl-users mailing list