[openssl-users] Fwd: SSL_get_certificate()
Viktor Dukhovni
openssl-users at dukhovni.org
Sun Nov 5 00:36:52 UTC 2017
> On Nov 4, 2017, at 8:12 PM, Jeremy Harris <jgh at wizmail.org> wrote:
>
>>> After SSL_accept(), call SSL_get_certificate() to see what
>>> cert was presented.
>>
>> The negotiated certificate is only populated in the server SSL
>> handle when you've registered a TLS status callback. See
>>
>> SSL_CTX_set_tlsext_status_cb(3)
>>
>>> What should I be doing different?
>>
>> For now, instantiate the callback.
>
> It doesn't appear to make any difference :-(
Looking more closely, the server might actually need to have
received a status request *and* for there to a callback:
https://github.com/openssl/openssl/blob/OpenSSL_1_0_2-stable/ssl/t1_lib.c#L3174
The assignment of the current keypair happens on:
https://github.com/openssl/openssl/blob/OpenSSL_1_0_2-stable/ssl/t1_lib.c#L3193
I think we should probably do:
if (certpkey != NULL) {
/*
* Set current certificate to one we will use so SSL_get_certificate
* et al can pick it up.
*/
s->cert->key = certpkey;
Unconditionally, at the top of the function, even if there's no callback
and no status request...
--
Viktor.
More information about the openssl-users
mailing list