certificate after the current certificate. These two operations can be
used to iterate over all certificates in an B<SSL_CTX> structure.
+SSL_set_current_cert() also supports the option B<SSL_CERT_SET_SERVER>.
+If B<ssl> is a server and has sent a certificate to a connected client
+this option sets that certificate to the current certificate and returns 1.
+If the negotiated ciphersuite is anonymous (and thus no certificate will
+be sent) 2 is returned and the current certificate is unchanged. If B<ssl>
+is not a server or a certificate has not been sent 0 is returned and
+the current certificate is unchanged.
+
All these functions are implemented as macros. Those containing a B<1>
increment the reference count of the supplied certificate or chain so it must
be freed at some point after the operation. Those containing a B<0> do
return ssl_cert_select_current(s->cert, (X509 *)parg);
case SSL_CTRL_SET_CURRENT_CERT:
+ if (larg == SSL_CERT_SET_SERVER)
+ {
+ CERT_PKEY *cpk;
+ const SSL_CIPHER *cipher;
+ if (!s->server)
+ return 0;
+ cipher = s->s3->tmp.new_cipher;
+ if (!cipher)
+ return 0;
+ /* No certificate for unauthenticated ciphersuites */
+ if (cipher->algorithm_auth & SSL_aNULL)
+ return 2;
+ cpk = ssl_get_server_send_pkey(s);
+ if (!cpk)
+ return 0;
+ s->cert->key = cpk;
+ return 1;
+ }
return ssl_cert_set_current(s->cert, larg);
#ifndef OPENSSL_NO_EC
#define SSL_CERT_SET_FIRST 1
#define SSL_CERT_SET_NEXT 2
+#define SSL_CERT_SET_SERVER 3
#define DTLSv1_get_timeout(ssl, arg) \
SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg)
int i;
c = s->cert;
+ if (!s->s3 || !s->s3->tmp.new_cipher)
+ return NULL;
ssl_set_cert_masks(c, s->s3->tmp.new_cipher);
#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
projects / openssl.git / commitdiff