[or-cvs] r12086: New code (disabled for now) to use the SSL context's cert st (in tor/trunk: . doc src/common)

nickm at seul.org nickm at seul.org
Mon Oct 22 00:26:02 UTC 2007 

Author: nickm
Date: 2007-10-21 20:26:02 -0400 (Sun, 21 Oct 2007)
New Revision: 12086

Modified:
   tor/trunk/
   tor/trunk/doc/TODO
   tor/trunk/src/common/tortls.c
Log:
 r15997 at catbus:  nickm | 2007-10-21 20:25:40 -0400
 New code (disabled for now) to use the SSL context's cert store instead of using its "extra chain cert" list to get our identity certificate sent.  This is a little close to what OpenSSL expects people to do, and it has the advantage that we should be able to keep the id cert from being sent by setting the NO_CHAIN_CERT bit.  I have tried turning new code on, and it seemed to work fine.



Property changes on: tor/trunk
___________________________________________________________________
 svk:merge ticket from /tor/trunk [r15997] on 8246c3cf-6607-4228-993b-4d95d33730f1

Modified: tor/trunk/doc/TODO
===================================================================
--- tor/trunk/doc/TODO	2007-10-21 22:12:24 UTC (rev 12085)
+++ tor/trunk/doc/TODO	2007-10-22 00:26:02 UTC (rev 12086)
@@ -54,7 +54,7 @@
       downloading the certs to check
       - But don't delay forever.
     o Make new download types comply with should_delay_dir_fetches()
-    - When DownloadExtraInfo is turned on for the first time, don't flip
+    o When DownloadExtraInfo is turned on for the first time, don't flip
       out and download the ancient history of the universe.
     o List IP addresses in certificates?
     o Make the address in votes be an actual IP address.

Modified: tor/trunk/src/common/tortls.c
===================================================================
--- tor/trunk/src/common/tortls.c	2007-10-21 22:12:24 UTC (rev 12085)
+++ tor/trunk/src/common/tortls.c	2007-10-22 00:26:02 UTC (rev 12086)
@@ -399,8 +399,16 @@
     goto error;
   X509_free(cert); /* We just added a reference to cert. */
   cert=NULL;
+#if 1
   if (idcert && !SSL_CTX_add_extra_chain_cert(result->ctx,idcert))
     goto error;
+#else
+  if (idcert) {
+    X509_STORE *s = SSL_CTX_get_cert_store(result->ctx);
+    tor_assert(s);
+    X509_STORE_add_cert(s, idcert);
+  }
+#endif
   idcert=NULL; /* The context now owns the reference to idcert */
   SSL_CTX_set_session_cache_mode(result->ctx, SSL_SESS_CACHE_OFF);
   tor_assert(rsa);

More information about the tor-commits mailing list