serf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adam Langley <...@google.com.INVALID>
Subject Call X509_STORE_add_cert before transfering ownership
Date Wed, 01 Feb 2017 00:01:42 GMT
SSL_CTX_add_extra_chain_cert transfers ownership of the given certificate,
so it's best to call X509_STORE_add_cert with that certificate before
rather than after it. (This doesn't cause a problem today because OpenSSL
keeps a reference around and no other calls to modify the chain are made
between. As you might guess from this message, this is not always true
within Google!)

--- test/MockHTTPinC/MockHTTP_server.c  (revision 1781186)
+++ test/MockHTTPinC/MockHTTP_server.c  (working copy)
@@ -2755,8 +2755,8 @@
                 X509 *ssl_cert = PEM_read_X509(fp, NULL, NULL, NULL);
                 fclose(fp);

+                X509_STORE_add_cert(store, ssl_cert);
                 SSL_CTX_add_extra_chain_cert(ssl_ctx->ctx, ssl_cert);
-                X509_STORE_add_cert(store, ssl_cert);
             }
         }


Cheers

AGL

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message