[openssl-users] Confirmation of what I believe to be true from docs and observation
Karl Denninger
karl at denninger.net
Wed Jan 10 14:41:41 UTC 2018
We start with a context that I load a dhparam file to (so I can take a
DH connection) along with an edh curve, then set an acceptable cipher
list for it to use.
Assume I next manually load both the CA store (using X509_STORE_add_cert
as many times as necessary to load the intermediate components and the
root of trust) and then load the cert/key pair (using
SSL_CTX_use_certificate/SSL_CTX_use_PrivateKey)
I then create some number of SSLs from that context to perform
communication with and all is well.
Now I want to rekey that context for some reason. It appears that while
I can add things to the CA chain trying to load the same component that
is already in there returns a failure (somewhat-expected; that is, it
does not overwrite but rather adds, and if you try to add what's already
there you get an error back) and there's no call to CLEAR the
certificate validation chain -- if I want to *replace* the validation
chain I have to destroy the context and initialize a new one from scratch.
It appears, however, that I *can* load over the top of a certificate and
private key of the same type and that's acceptable. In other words, if
I have an RSA key/cert pair in the context and I load another one, the
first one is replaced. This *looks* to be working ok as far as I can
tell and it doesn't appear to leak memory doing that but it's not
explicitly stated that this is considered acceptable (rather than
destroying and re-creating the context.)
Is my understanding correct?
--
Karl Denninger
karl at denninger.net <mailto:karl at denninger.net>
/The Market Ticker/
/[S/MIME encrypted email preferred]/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180110/dd2d34e1/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4897 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180110/dd2d34e1/attachment.bin>
More information about the openssl-users
mailing list