SSL_check_chain() broken
Short, Todd
tshort at akamai.com
Fri Jun 7 14:49:13 UTC 2019
Hi,
It looks as though SSL_check_chain() use within the cert_cb (as recommended) was broken by PR 7257.
PR 7257 moves setting the shared_sigalgs to after the cert_cb takes place, but deep down in the call stack, SSL_check_chain() has a dependency on shared_sigalgs being set.
In 1.1.1, the following works, using SSL_check_chain() in the cert_cb. But it fails in 1.1.1a:
apps/openssl s_server -xcert apps/server.pem -xkey apps/server.pem -nocert
Is there harm in setting the shared_sigalgs before cert_cb and resetting them if SSL_set_SSL_CTX() is called? Basically what PR 7256 tried to do?
I opened issue 9099.
--
-Todd Short
// tshort at akamai.com
// “One if by land, two if by sea, threeif by the Internet."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20190607/b407ff7a/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2991 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20190607/b407ff7a/attachment.bin>
More information about the openssl-users
mailing list