On Tue, Mar 15, 2005 at 10:24:11AM -0500, Victor Duchovni wrote:
>
> Is there an officially condoned mechanism to avoid caching the peer
> certificate of unverified clients? I want to cache the session keys,
> but if the peer certificate is not verified, there is not much point in
> burning storage saving it in the session cache. Is it perhaps possible to
> drop the cert early in the verification callback (when the verification
> failure is detected)?
>
> I could void the warranty by:
>
> #ifdef DONT_TRY_THIS_AT_HOME
> X509_free(session->peer);
> session->peer = 0;
> #endif
> buflen = i2d_SSL_SESSION(session, 0);
> ...
>
> but I don't believe that I am supposed to bypass the accessor methods
> and mess with the SSL_SESSION structure directly...
But you have found the only way to handle the problem. There is no
official API to achieve the same effect :-)
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
