[openssl-users] SSL_CTX ignores many X509_STORE fields and uses own fields
Daurnimator
quae at daurnimator.com
Thu Jul 12 08:49:28 UTC 2018
When looking into https://github.com/wahern/luaossl/issues/140 I was
surprised to learn that an SSL_CTX* (and SSL*) does not use many of
the X509_STORE members.
e.g. a store has a X509_VERIFY_PARAMS field, however although an
SSL_CTX* has a related store, it ignores the store's params and uses
it's own.
For a connection pooling implementation, I need to check that an
existing SSL connection is something that could be approved by a given
SSL_CTX*.
I was hoping this would be as simple as doing (error handling omitted
for brevity):
X509_STORE_CTX_init(vfy_ctx, SSL_CTX_get0_store(ctx),
SSL_get_certificate(ssl), NULL);
X509_verify_cert(vfy_ctx);
However it appears that I really need to do:
X509_STORE_CTX_init(vfy_ctx, SSL_CTX_get0_store(ctx),
SSL_get_certificate(ssl), NULL);
X509_VERIFY_PARAM_inherit(X509_STORE_CTX_get0_param(vfy_ctx),
SSL_CTX_get0_param(ctx));
// X509_STORE_CTX_set_verify_cb based on SSL_CTX_get_verify_callback(ctx)
// X509_STORE_CTX_set0_dane
// etc. etc.
X509_verify_cert(vfy_ctx);
Is this complexity warranted?
Is there any plan to remove the redundant fields?
Daurn.
More information about the openssl-users
mailing list