[openssl-users] Fwd: SSL_get_certificate()

Viktor Dukhovni openssl-users at dukhovni.org
Sun Nov 5 00:36:52 UTC 2017

> On Nov 4, 2017, at 8:12 PM, Jeremy Harris <jgh at wizmail.org> wrote:
>>> After SSL_accept(), call SSL_get_certificate() to see what
>>> cert was presented.
>> The negotiated certificate is only populated in the server SSL
>> handle when you've registered a TLS status callback.  See
>>   SSL_CTX_set_tlsext_status_cb(3)
>>> What should I be doing different?
>> For now, instantiate the callback.
> It doesn't appear to make any difference :-(

Looking more closely, the server might actually need to have
received a status request *and* for there to a callback:


The assignment of the current keypair happens on:


I think we should probably do:

        if (certpkey != NULL) {
             * Set current certificate to one we will use so SSL_get_certificate
             * et al can pick it up.
            s->cert->key = certpkey;

Unconditionally, at the top of the function, even if there's no callback
and no status request...


More information about the openssl-users mailing list