<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>We start with a context that I load a dhparam file to (so I can
take a DH connection) along with an edh curve, then set an
acceptable cipher list for it to use.<br>
</p>
<p>Assume I next manually load both the CA store (using
X509_STORE_add_cert as many times as necessary to load the
intermediate components and the root of trust) and then load the
cert/key pair (using
SSL_CTX_use_certificate/SSL_CTX_use_PrivateKey)</p>
<p>I then create some number of SSLs from that context to perform
communication with and all is well.</p>
<p>Now I want to rekey that context for some reason. It appears
that while I can add things to the CA chain trying to load the
same component that is already in there returns a failure
(somewhat-expected; that is, it does not overwrite but rather
adds, and if you try to add what's already there you get an error
back) and there's no call to CLEAR the certificate validation
chain -- if I want to *replace* the validation chain I have to
destroy the context and initialize a new one from scratch.</p>
<p>It appears, however, that I *can* load over the top of a
certificate and private key of the same type and that's
acceptable. In other words, if I have an RSA key/cert pair in the
context and I load another one, the first one is replaced. This
*looks* to be working ok as far as I can tell and it doesn't
appear to leak memory doing that but it's not explicitly stated
that this is considered acceptable (rather than destroying and
re-creating the context.)</p>
<p>Is my understanding correct?<br>
</p>
<div class="moz-signature">-- <br>
Karl Denninger<br>
<a href="mailto:karl@denninger.net">karl@denninger.net</a><br>
<i>The Market Ticker</i><br>
<font size="-2"><i>[S/MIME encrypted email preferred]</i></font>
</div>
</body>
</html>