From: Bodo Möller <bodo@openssl.org>
Date: Mon, 27 Mar 2000 18:07:45 +0000 (+0000)
Subject: Comments for SSL_get_peer_cert_chain inconsistency.
X-Git-Tag: OpenSSL_0_9_5a~11
X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=98e04f9eeb6fcd673a9952fcfab90f38fdf8e7d6;p=oweals%2Fopenssl.git

Comments for SSL_get_peer_cert_chain inconsistency.
---

diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 279d2c0198..0c8f551f73 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -772,6 +772,8 @@ static int ssl3_get_server_certificate(SSL *s)
 	s->session->sess_cert=sc;
 
 	sc->cert_chain=sk;
+	/* Inconsistency alert: cert_chain does include the peer's
+	 * certificate, which we don't include in s3_srvr.c */
 	x=sk_X509_value(sk,0);
 	sk=NULL;
 
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 90806e2d99..e23ca20bd3 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -1698,6 +1698,8 @@ static int ssl3_get_client_certificate(SSL *s)
 	if (s->session->sess_cert->cert_chain != NULL)
 		sk_X509_pop_free(s->session->sess_cert->cert_chain, X509_free);
 	s->session->sess_cert->cert_chain=sk;
+	/* Inconsistency alert: cert_chain does *not* include the
+	 * peer's own certificate, while we do include it in s3_clnt.c */
 
 	sk=NULL;
 
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 3109708480..c515c41b4e 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -599,6 +599,9 @@ STACK_OF(X509) *SSL_get_peer_cert_chain(SSL *s)
 	else
 		r=s->session->sess_cert->cert_chain;
 
+	/* If we are a client, cert_chain includes the peer's own
+	 * certificate; if we are a server, it does not. */
+	
 	return(r);
 	}