[stunnel-users] public domain [Patch] Support multiple X509 client certificates with same CN
Leon Winter
winter at bfw-online.de
Tue Apr 1 12:52:45 CEST 2014
Hi Michal,
thanks for the fast integration.
> Thank you very much. Could you please test my implementation?
> https://www.stunnel.org/downloads/beta/stunnel-5.01b2.tar.gz
due to other changes in the code like the ui_* refactoring I could not
compile these exact version but in the end I managed to compile a
modified stunnel 5.00 version[1] with your modified src/verify.c which
contains the relevant logic and I can confirm it is working. It
correctly iterates over the set of client certificates with the given CN
and then also correctly identifies a matching one.
> It should be thread-safe, as X509_STORE_get1_certs() synchronizes
> X509_STORE operations with CRYPTO_LOCK_X509_STORE locks.
> It also doesn't use any pointers to internal OpenSSL data structures, so
> it should be able to survive updates of the OpenSSL shared libraries.
As I am not very familiar with the OpenSSL API I cannot comment on that,
however not using the lowlevel interfaces certainly is cleaner and the
way to go. However this way only more current versions of stunnel with a
recent OpenSSL version will support this functionality while using the
other 'non-clean' way would also add support for users with older
OpenSSL versions. Since I have the latest version of OpenSSL I am
perfectly fine with the change though ;)
One minor note, in line 291 of verify.c is a blank at the EOL, but since
this was just a beta release you might clean up the code later before
the actual release.
Best regards,
Leon Winter
[1]
http://anonscm.debian.org/gitweb/?p=collab-maint/stunnel.git;a=summary
More information about the stunnel-users
mailing list