[openssl-users] OpenSSL 1.1.0: No X509_STORE_CTX_set_cert_crl() function?

Stephan Mühlstrasser stm at pdflib.com
Fri Jun 15 14:51:01 UTC 2018

Am 15.06.18 um 16:36 schrieb Salz, Rich via openssl-users:
>      It looks like in OpenSSL 1.1.0 I can no longer do that. There are only
>      functions available that return various function pointers from a
>      X509_STORE_CTX structure (like X509_STORE_CTX_get_cert_crl), but there
>      are no corresponding counterparts to set the function pointers.
> This could be viewed as a bug; we had no idea people wanted to *set* various fields.  WE consider missing accessors/setters in opaque datatypes a bug.

I found the following awkward workaround: I set up a temporary 
X509_STORE_CTX object only for the purpose of getting the original 
X509_STORE_CTX_cert_crl_fn function pointer that I save somewhere. Then 
I call X509_STORE_set_cert_crl to assign my own cert_crl function, from 
which later X509_STORE_CTXs created for the X509_STORE will inherit it.

This is the code (minus error checking):

X509_STORE *my_store = X509_STORE_new();
X509_STORE_CTX *ctx = X509_STORE_CTX_new();
X509_STORE_CTX_init(ctx, NULL, NULL, NULL);
X509_STORE_CTX_cert_crl_fn original_cert_crl = 
X509_STORE_set_cert_crl(my_store, my_own_cert_crl);

Should I file an issue on GitHub about the missing setters?


More information about the openssl-users mailing list