tls: copy client CAs and cert store on CertCb #3537
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
|
||
| template <class Base> | ||
| int SSLWrap<Base>::SetCACerts(SecureContext* sc) { | ||
| SSL_set1_verify_cert_store(ssl_, SSL_CTX_get_cert_store(sc->ctx_)); |
There was a problem hiding this comment.
You should check the return code here.
There was a problem hiding this comment.
Good idea, though it can't fail in current OpenSSL implementation.
|
Left some comments. The commit log could go into more detail into why this change is necessary. |
|
@bnoordhuis pushed fixes, thanks! |
|
CI seems to be green, LGTY @bnoordhuis ? |
Copy client CA certs and cert store when asynchronously selecting `SecureContext` during `SNICallback`. We already copy private key, certificate, and certificate chain, but the client CA certs were missing. Fix: nodejs#2772
indutny
force-pushed
the
fix/tls-ca-sni
branch
from
387e4b9
to
7f60df5
Compare
|
@bnoordhuis updated commit message too |
|
|
||
| STACK_OF(X509_NAME)* list = SSL_dup_CA_list( | ||
| SSL_CTX_get_client_CA_list(sc->ctx_)); | ||
| SSL_set_client_CA_list(ssl_, list); |
There was a problem hiding this comment.
Can you add a comment explaining that SSL_set_client_CA_list takes ownership of the duplicate? And maybe explain why you copy it from the SSL_CTX to the SSL?
|
All fixed, PTAL @bnoordhuis |
|
LGTM |
|
Landed in 483a41c, thank you! |
indutny
added a commit
that referenced
this pull request
Nov 13, 2015
Copy client CA certs and cert store when asynchronously selecting `SecureContext` during `SNICallback`. We already copy private key, certificate, and certificate chain, but the client CA certs were missing. Fix: #2772 PR-URL: #3537 Reviewed-By: Ben Noordhuis <[email protected]>
indutny
added a commit
that referenced
this pull request
Nov 17, 2015
Copy client CA certs and cert store when asynchronously selecting `SecureContext` during `SNICallback`. We already copy private key, certificate, and certificate chain, but the client CA certs were missing. Fix: #2772 PR-URL: #3537 Reviewed-By: Ben Noordhuis <[email protected]>
Closed
|
I'm having trouble working out if this is a bugfix or something closer to a semver-minor. @indutny can you make a call on whether this would qualify for backporting to LTS? |
|
This is a bugfix. |
|
I think it qualifies for backport. |
|
The line on this one may be rather fuzzy but I tend to agree with @indutny |
MylesBorins
pushed a commit
that referenced
this pull request
Jan 28, 2016
Copy client CA certs and cert store when asynchronously selecting `SecureContext` during `SNICallback`. We already copy private key, certificate, and certificate chain, but the client CA certs were missing. Fix: #2772 PR-URL: #3537 Reviewed-By: Ben Noordhuis <[email protected]>
MylesBorins
pushed a commit
that referenced
this pull request
Feb 11, 2016
Copy client CA certs and cert store when asynchronously selecting `SecureContext` during `SNICallback`. We already copy private key, certificate, and certificate chain, but the client CA certs were missing. Fix: #2772 PR-URL: #3537 Reviewed-By: Ben Noordhuis <[email protected]>
MylesBorins
pushed a commit
to MylesBorins/node
that referenced
this pull request
Feb 11, 2016
Copy client CA certs and cert store when asynchronously selecting `SecureContext` during `SNICallback`. We already copy private key, certificate, and certificate chain, but the client CA certs were missing. Fix: nodejs#2772 PR-URL: nodejs#3537 Reviewed-By: Ben Noordhuis <[email protected]>
Merged
MylesBorins
pushed a commit
to MylesBorins/node
that referenced
this pull request
Feb 15, 2016
Copy client CA certs and cert store when asynchronously selecting `SecureContext` during `SNICallback`. We already copy private key, certificate, and certificate chain, but the client CA certs were missing. Fix: nodejs#2772 PR-URL: nodejs#3537 Reviewed-By: Ben Noordhuis <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Copy client CA certs and cert store when asynchronously selecting
SecureContextduringSNICallback.Fix: #2772
cc @nodejs/crypto