Comments for SSL_get_peer_cert_chain inconsistency.

diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 279d2c01983591932e180b9095d38a33c7e42e7b..0c8f551f7362df6cc17e859265f4d51065031b75 100644 (file)
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -772,6 +772,8 @@ static int ssl3_get_server_certificate(SSL *s)
        s->session->sess_cert=sc;
 
        sc->cert_chain=sk;
+       /* Inconsistency alert: cert_chain does include the peer's
+        * certificate, which we don't include in s3_srvr.c */
        x=sk_X509_value(sk,0);
        sk=NULL;
 

diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 90806e2d99bb6fcac411600c82429c786b407704..e23ca20bd310eff7257f0858a2b8912f1ca11296 100644 (file)
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -1698,6 +1698,8 @@ static int ssl3_get_client_certificate(SSL *s)
        if (s->session->sess_cert->cert_chain != NULL)
                sk_X509_pop_free(s->session->sess_cert->cert_chain, X509_free);
        s->session->sess_cert->cert_chain=sk;
+       /* Inconsistency alert: cert_chain does *not* include the
+        * peer's own certificate, while we do include it in s3_clnt.c */
 
        sk=NULL;
 

diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 3109708480b9fcadb02196e503a474bd8407f923..c515c41b4e750df60bbf1a59b0628ddb429171fa 100644 (file)
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -599,6 +599,9 @@ STACK_OF(X509) *SSL_get_peer_cert_chain(SSL *s)
        else
                r=s->session->sess_cert->cert_chain;
 
+       /* If we are a client, cert_chain includes the peer's own
+        * certificate; if we are a server, it does not. */
+       
        return(r);
        }