Call OCSP Stapling callback after ciphersuite has been chosen, so the

[oweals/openssl.git] / ssl / ssl_lib.c

diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 78009e88cde3c13f0b51a5276ce58cde802a4ab6..555a630b1ba8da6e316c2e2ed5b6111c37135e8b 100644 (file)
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -2320,7 +2320,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
 #endif
 
 /* THIS NEEDS CLEANING UP */
-static int ssl_get_server_cert_index(SSL *s)
+static int ssl_get_server_cert_index(const SSL *s)
        {
        unsigned long alg_k, alg_a;
 
@@ -2371,7 +2371,7 @@ static int ssl_get_server_cert_index(SSL *s)
                }
        }
 
-CERT_PKEY *ssl_get_server_send_pkey(SSL *s)
+CERT_PKEY *ssl_get_server_send_pkey(const SSL *s)
        {
        CERT *c;
        int i;
@@ -2668,7 +2668,7 @@ const char *SSL_get_version(const SSL *s)
                return("TLSv1.2");
        else if (s->version == TLS1_1_VERSION)
                return("TLSv1.1");
-       if (s->version == TLS1_VERSION)
+       else if (s->version == TLS1_VERSION)
                return("TLSv1");
        else if (s->version == SSL3_VERSION)
                return("SSLv3");
@@ -2840,6 +2840,14 @@ void ssl_clear_cipher_ctx(SSL *s)
 /* Fix this function so that it takes an optional type parameter */
 X509 *SSL_get_certificate(const SSL *s)
        {
+       if (s->server)
+               {
+               CERT_PKEY *certpkey;
+               certpkey = ssl_get_server_send_pkey(s);
+               if (certpkey && certpkey->x509)
+                       return certpkey->x509;
+               }
+
        if (s->cert != NULL)
                return(s->cert->key->x509);
        else