r15997@catbus: nickm | 2007-10-21 20:25:40 -0400

 New code (disabled for now) to use the SSL context's cert store instead of using its "extra chain cert" list to get our identity certificate sent.  This is a little close to what OpenSSL expects people to do, and it has the advantage that we should be able to keep the id cert from being sent by setting the NO_CHAIN_CERT bit.  I have tried turning new code on, and it seemed to work fine.

svn:r12086

diff --git a/doc/TODO b/doc/TODO
index 6137f5066a51e0f9b96eb55d70f8c8dad29c98d9..59e44f84a79f80d91dbf4b6e7fd2dfce0dd2c2d6 100644 (file)
--- a/doc/TODO
+++ b/doc/TODO
@@ -54,7 +54,7 @@ Things we'd like to do in 0.2.0.x:
       downloading the certs to check
       - But don't delay forever.
     o Make new download types comply with should_delay_dir_fetches()
-    - When DownloadExtraInfo is turned on for the first time, don't flip
+    o When DownloadExtraInfo is turned on for the first time, don't flip
       out and download the ancient history of the universe.
     o List IP addresses in certificates?
     o Make the address in votes be an actual IP address.

diff --git a/src/common/tortls.c b/src/common/tortls.c
index de39969d548f7881c5072203ce9f8360dc4022fc..eed35cd32d5aa65f620ec8eac5f0bb59a17b83b6 100644 (file)
--- a/src/common/tortls.c
+++ b/src/common/tortls.c
@@ -399,8 +399,16 @@ tor_tls_context_new(crypto_pk_env_t *identity, const char *nickname,
     goto error;
   X509_free(cert); /* We just added a reference to cert. */
   cert=NULL;
+#if 1
   if (idcert && !SSL_CTX_add_extra_chain_cert(result->ctx,idcert))
     goto error;
+#else
+  if (idcert) {
+    X509_STORE *s = SSL_CTX_get_cert_store(result->ctx);
+    tor_assert(s);
+    X509_STORE_add_cert(s, idcert);
+  }
+#endif
   idcert=NULL; /* The context now owns the reference to idcert */
   SSL_CTX_set_session_cache_mode(result->ctx, SSL_SESS_CACHE_OFF);
   tor_assert(rsa);