Commit 4e05aedb authored by Dr. Stephen Henson's avatar Dr. Stephen Henson
Browse files

Preserve digests for SNI. 



SSL_set_SSL_CTX is normally called for SNI after ClientHello has
received and the digest to use for each certificate has been decided.
The original ssl->cert contains the negotiated digests and is now
copied to the new ssl->cert.

PR: 3560
Reviewed-by: default avatarTim Hudson <tjh@openssl.org>
parent bf3e200e

ssl/ssl_lib.c

+13 −2
Original line number Diff line number Diff line
@@ -2944,15 +2944,26 @@ SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl) 


SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX* ctx)

	{

	CERT *ocert = ssl->cert;

	if (ssl->ctx == ctx)

		return ssl->ctx;

#ifndef OPENSSL_NO_TLSEXT

	if (ctx == NULL)

		ctx = ssl->initial_ctx;

#endif

	if (ssl->cert != NULL)

		ssl_cert_free(ssl->cert);

	ssl->cert = ssl_cert_dup(ctx->cert);

	if (ocert != NULL)

		{

		int i;

		/* Copy negotiated digests from original */

		for (i = 0; i < SSL_PKEY_NUM; i++)

			{

			CERT_PKEY *cpk = ocert->pkeys + i;

			CERT_PKEY *rpk = ssl->cert->pkeys + i;

			rpk->digest = cpk->digest;

			}

		ssl_cert_free(ocert);

		}

	CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX);

	if (ssl->ctx != NULL)

		SSL_CTX_free(ssl->ctx); /* decrement reference count */