SSL_CTX ignores many X509_STORE fields and uses own fields

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

SSL_CTX ignores many X509_STORE fields and uses own fields

Daurnimator
When looking into https://github.com/wahern/luaossl/issues/140 I was
surprised to learn that an SSL_CTX* (and SSL*) does not use many of
the X509_STORE members.

e.g. a store has a X509_VERIFY_PARAMS field, however although an
SSL_CTX* has a related store, it ignores the store's params and uses
it's own.

For a connection pooling implementation, I need to check that an
existing SSL connection is something that could be approved by a given
SSL_CTX*.
I was hoping this would be as simple as doing (error handling omitted
for brevity):

    X509_STORE_CTX_init(vfy_ctx, SSL_CTX_get0_store(ctx),
SSL_get_certificate(ssl), NULL);
    X509_verify_cert(vfy_ctx);

However it appears that I really need to do:

    X509_STORE_CTX_init(vfy_ctx, SSL_CTX_get0_store(ctx),
SSL_get_certificate(ssl), NULL);
    X509_VERIFY_PARAM_inherit(X509_STORE_CTX_get0_param(vfy_ctx),
SSL_CTX_get0_param(ctx));
    // X509_STORE_CTX_set_verify_cb based on SSL_CTX_get_verify_callback(ctx)
    // X509_STORE_CTX_set0_dane
    // etc. etc.
    X509_verify_cert(vfy_ctx);

Is this complexity warranted?
Is there any plan to remove the redundant fields?

Daurn.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users