On 2014-06-25 at 16:58, Jakob Bohm <jb-open...@wisemo.com> wrote: > On 6/25/2014 3:23 PM, Jens Maus wrote:
>> So how can I specify an own app_data for every connection? IMHO there should >> be something like SSL_set_cert_app_data() so that I can specify different >> app_data for different SSL connections. >> > > After calling ssl_ctx = SSL_new(master_ssl_ctx) to get the new context, > call > > X509_STORE store_obj = SSL_CTX_get_cert_store(ssl_ctx), I am sorry, but isn’t SSL_new() returning a pointer of SSL* and not SSL_CTX*? Thus, I cannot simply pass that to SSL_CTX_get_cert_store() as that expects a pointer of type SSL_CTX*. Right? > then set your pointer in the CRYPTO_EX_DATA of > store_obj->ex_data. > > When your callback receives an X509_STORE_CTX store_ctx, you can access > that same X509_STORE as store_ctx->ctx and get your pointer from the > CRYPTO_EX_DATA at store_ctx->ctx->ex_data. > > At least that is what it looks like to me. > > (Figuring out how to use the generic CRYPTO_EX_DATA API is left as an > exercise for the reader). Well, that’s actually very hard for me since I am mainly an application developer and didn’t dive that deep into the various hundreds of possibilities of the complete OpenSSL API yet. So I would really enjoy seeing some pseudo code being posted here which solves the top-level problem I posted here: I want to be able to load my ca-bundle only once at application start and distribute it to all sub connections not having to call SSL_CTX_load_verify_locations() right before each SSL_new(). Actually, I now understand that I can keep a single SSL_CTX throughout the whole lifetime of my application and just assign it to the SSL_new() call. However, as I outlined in my last posts, if I change my code like this I run into the verify_callback problem and that I have to be able to specify different app_data pointers per SSL connection or otherwise I cannot store the certificate check results for evaluation by my application. regards, jens -- Jens Maus, Dresden/Germany http://jens-maus.de/ (Please note a real name change effective since 5.9.2013. Former name: Jens Langner) *** Content is authentic only with digital signature ***
smime.p7s
Description: S/MIME cryptographic signature
