Add certificate callback. If set this is called whenever a certificate
is required by client or server. An application can decide which
certificate chain to present based on arbitrary criteria: for example
supported signature algorithms. Add very simple example to s_server.
This fixes many of the problems and restrictions of the existing client
certificate callback: for example you can now clear existing certificates
and specify the whole chain.
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index 89a5131..9aa7b04 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -379,6 +379,9 @@
ret->cert_flags = cert->cert_flags;
+ ret->cert_cb = cert->cert_cb;
+ ret->cert_cb_arg = cert->cert_cb_arg;
+
return(ret);
#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_ECDH)
@@ -557,6 +560,12 @@
return 1;
}
+void ssl_cert_set_cert_cb(CERT *c, int (*cb)(SSL *ssl, void *arg), void *arg)
+ {
+ c->cert_cb = cb;
+ c->cert_cb_arg = arg;
+ }
+
SESS_CERT *ssl_sess_cert_new(void)
{
SESS_CERT *ret;
