Minor enhancement to PR#2836 fix. Instead of modifying SSL_get_certificate
change the current certificate (in s->cert->key) to the one used and then
SSL_get_certificate and SSL_get_privatekey will automatically work.
diff --git a/CHANGES b/CHANGES
index 9cb1778..3dda962 100644
--- a/CHANGES
+++ b/CHANGES
@@ -347,8 +347,8 @@
Changes between 1.0.1 and 1.0.2 [xx XXX xxxx]
*) Call OCSP Stapling callback after ciphersuite has been chosen, so
- the right response is stapled. Also change SSL_get_certificate()
- so it returns the certificate actually sent.
+ the right response is stapled. Also change current certificate to
+ the certificate actually sent.
See http://rt.openssl.org/Ticket/Display.html?id=2836.
[Rob Stradling <rob.stradling@comodo.com>]
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 5a639c1..0efb961 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -2833,14 +2833,6 @@
/* Fix this function so that it takes an optional type parameter */
X509 *SSL_get_certificate(const SSL *s)
{
- if (s->server)
- {
- CERT_PKEY *certpkey;
- certpkey = ssl_get_server_send_pkey(s);
- if (certpkey && certpkey->x509)
- return certpkey->x509;
- }
-
if (s->cert != NULL)
return(s->cert->key->x509);
else
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 254221b..31b3bd7 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -2755,6 +2755,18 @@
if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
{
int r;
+ CERT_PKEY *certpkey;
+ certpkey = ssl_get_server_send_pkey(s);
+ /* If no certificate can't return certificate status */
+ if (certpkey == NULL)
+ {
+ s->tlsext_status_expected = 0;
+ return 1;
+ }
+ /* Set current certificate to one we will use so
+ * SSL_get_certificate et al can pick it up.
+ */
+ s->cert->key = certpkey;
r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
switch (r)
{
