[Pkg-openssl-devel] Bug#829272: Missing accessors

Richard Levitte via RT rt at openssl.org
Wed Jul 20 15:11:24 UTC 2016


On Mon Jul 11 14:04:22 2016, dwmw2 at infradead.org wrote:
> I was using store.get_issuer() in OpenConnect too, because I need to
> manually build the trust chain to include it on the wire — because
> even today the server might *still* suffer RT#1942 and fail to trust
> our client cert unless we help it by providing the *right* chain.

Is this still true with OpenSSL 1.1? If so, please file a report.

> I've worked around the lack of access to get_issuer() by doing a dummy
> call to X509_verify_cert(), throwing away its result and then hoping
> that we have something useful in store.chain (which we *can* still
> access). That seems to work but I'm not stunningly happy with it; if
> we
> can have an accessor I'd much rather go back to doing it the old way.
>
> http://git.infradead.org/users/dwmw2/openconnect.git/commitdiff/0d635a0
> (in workaround_openssl_certchain_bug() in the hunk around line 1306)

https://github.com/openssl/openssl/pull/1294 currently provides a setter for
get_issuer in X509_STORE.

--
Richard Levitte
levitte at openssl.org

-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602
Please log in as guest with password guest if prompted



More information about the Pkg-openssl-devel mailing list