[openssl-dev] How to do reneg with client certs in 1.1.0 API
Rainer Jung
rainer.jung at kippdata.de
Mon Feb 8 12:11:11 UTC 2016
I'm adding support for OpenSSL 1.1.0 to the Apache web server.
I struggle to migrate the renegotiation code in the case wehere we want
the client to send a client cert. The current code works like explained in
http://www.linuxjournal.com/node/5487/print
After using SSL_set_verify() it calls
SSL_renegotiate(ssl);
SSL_do_handshake(ssl);
SSL_set_state(ssl, SSL_ST_ACCEPT);
SSL_do_handshake(ssl);
for reasons given in the article.
The new 1.1.0 API no longer allows to set the state using
SSL_set_state(). The old article states, that calling
SSL_set_accept_state() is not the right thing to do. Looking at
s_server.c doesn't give a hint what to do instead, because it looks like
it reads the client certs just raw from the socket.
Any hint what would replace the above sequence or at least the
SSL_set_state(ssl, SSL_ST_ACCEPT)?
Thanks a bunch and regards,
Rainer
More information about the openssl-dev
mailing list