[Pkg-openssl-devel] Bug#829272: Missing accessors

msalle@nikhef.nl via RT rt at openssl.org
Mon Jul 25 13:05:39 UTC 2016


On Mon, Jul 25, 2016 at 12:47:56PM +0000, Salz, Rich via RT wrote:
> 
> > That's exactly what we currently do, we provide a verification callback, but
> > we do need to be able to set the failing cert in a chain for that.
> 
> Stick it in EXDAT?

I don't think I understand what you mean...
For a proper callback, we need to be able to indicate which cert in the
chain has failed. This used to be done by setting the 'current_cert'
field in the CTX. I'm perfectly happy if we need to do this differently
e.g. by using something like a
    X509_STORE_CTX_set_error_depth(X509_STORE_CTX *ctx,int depth);
similar to the existing X509_STORE_CTX_get_error_depth()
That actually would make the most sense in any case I would think,
although I would mean that for properly handling proxy chains it would
have negative values according to the man-page...

    Mischa


-- 
Nikhef                      Room  H155
Science Park 105            Tel.  +31-20-592 5102
1098 XG Amsterdam           Fax   +31-20-592 5155
The Netherlands             Email msalle at nikhef.nl
  __ .. ... _._. .... ._  ... ._ ._.. ._.. .._..

-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602
Please log in as guest with password guest if prompted

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3382 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-openssl-devel/attachments/20160725/bb957836/attachment.bin>


More information about the Pkg-openssl-devel mailing list