Fwd: SSL_get_certificate()

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Fwd: SSL_get_certificate()

Jeremy Harris
1.0.2k fips.

Server, having loaded two certs (one rsa, one ecdsa) using
SSL_CTX_use_certificate_chain_file().

After SSL_accept(), call SSL_get_certificate() to see what
cert was presented.

The actual on-the-wire does what I'm expecting - the presented
server cert varies according to the server ciphers list ordering.
However, the SSL_get_certificate() call always returns the last
cert loaded.

What should I be doing different?
--
Thanks,
  Jeremy
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Fwd: SSL_get_certificate()

Viktor Dukhovni


> On Nov 4, 2017, at 7:11 PM, Jeremy Harris <[hidden email]> wrote:
>
> 1.0.2k fips.

I hope you're not enabling, or at least not voluntarily enabling
FIPS mode, but that's off-topic...

> Server, having loaded two certs (one rsa, one ecdsa) using
> SSL_CTX_use_certificate_chain_file().
>
> After SSL_accept(), call SSL_get_certificate() to see what
> cert was presented.

The negotiated certificate is only populated in the server SSL
handle when you've registered a TLS status callback.  See

   SSL_CTX_set_tlsext_status_cb(3)

> What should I be doing different?

For now, instantiate the callback.  I think we should look into
changing the behaviour at some point to always make this available
at the completion of the handshake.  And document
SSL_get_certificate().  Feel free to open an issue on Github...

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Fwd: SSL_get_certificate()

Viktor Dukhovni


> On Nov 4, 2017, at 8:12 PM, Jeremy Harris <[hidden email]> wrote:
>
>>> After SSL_accept(), call SSL_get_certificate() to see what
>>> cert was presented.
>>
>> The negotiated certificate is only populated in the server SSL
>> handle when you've registered a TLS status callback.  See
>>
>>   SSL_CTX_set_tlsext_status_cb(3)
>>
>>> What should I be doing different?
>>
>> For now, instantiate the callback.
>
> It doesn't appear to make any difference :-(

Looking more closely, the server might actually need to have
received a status request *and* for there to a callback:

https://github.com/openssl/openssl/blob/OpenSSL_1_0_2-stable/ssl/t1_lib.c#L3174

The assignment of the current keypair happens on:

https://github.com/openssl/openssl/blob/OpenSSL_1_0_2-stable/ssl/t1_lib.c#L3193

I think we should probably do:

        if (certpkey != NULL) {
            /*
             * Set current certificate to one we will use so SSL_get_certificate
             * et al can pick it up.
             */
            s->cert->key = certpkey;

Unconditionally, at the top of the function, even if there's no callback
and no status request...

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users