Add manpages for SSL_get_certificate, SSL_get_privatekey #17815
Conversation
This is as I understand these functions from reading the code.
hlandau
added
branch: master
hlandau
changed the title
doc/man3/SSL_get_certificate.pod
Outdated
| certificate which represents the local peer's identity. For servers, it returns | ||
| the server's certificate. If a server has multiple certificates (for different | ||
| algorithms, for example RSA and ECDSA), the certificate in actual use is | ||
| returned. For clients, it returns the client certificate being used, if any. |
There was a problem hiding this comment.
I don't think this isn't quite correct. Before the handshake it returns the last certificate that was added to the SSL/SSL_CTX or NULL if none were added yet. During the handshake it selects a certificate to use for the connection and from that point on it returns the selected certificate.
There was a problem hiding this comment.
I still don't think this is quite right. I would merge the text you added under RETURN VALUES into this text. The text about "multiple certificates" at the moment is quite misleading in the case where it is called before the handshake. Perhaps adding something like "or the most recently added certificate if called before a certificate has been selected". Or something like that.
|
How's this? |
doc/man3/SSL_get_certificate.pod
Outdated
| certificate which represents the local peer's identity. For servers, it returns | ||
| the server's certificate. If a server has multiple certificates (for different | ||
| algorithms, for example RSA and ECDSA), the certificate in actual use is | ||
| returned. For clients, it returns the client certificate being used, if any. |
There was a problem hiding this comment.
I still don't think this is quite right. I would merge the text you added under RETURN VALUES into this text. The text about "multiple certificates" at the moment is quite misleading in the case where it is called before the handshake. Perhaps adding something like "or the most recently added certificate if called before a certificate has been selected". Or something like that.
doc/man3/SSL_get_certificate.pod
Outdated
| object is available. Before the handshake has completed, the certificate | ||
| returned is the one most recently added to the SSL object, or NULL if no | ||
| certificate has yet been added. After the handshake has completed, the | ||
| certificate returned is the one which was selected during the handshake. |
There was a problem hiding this comment.
I'd keep this more about about error conditions etc, e.g. "SSL_get_certifciate() returns a pointer to the certificate or a NULL if there is no certificate"
|
Updated again. |
doc/man3/SSL_get_certificate.pod
Outdated
| =item | ||
|
|
||
| If it is called before the handshake has completed, it returns the most recently | ||
| added certificate, or NULL if no certificate has been added. |
There was a problem hiding this comment.
Strictly speaking the certificate selection happens during the handshake. This distinction is important in the case of callbacks that occur during the handshake (such as the tlsext_status_cb). So, the tlsext_statuc_cb will get the selected certificate (which is not necessarily the most recently added one) even though the handshake has not been completed yet.
|
Updated. |
paulidale
removed
the
approval: otc review pending
|
Updated. |
…te, SSL_get_private_key
|
Updated. |
t8m
added
approval: done
|
The CI failure is relevant. Please fix. |
t8m
removed
the
approval: done
…rtificate, SSL_get_private_key
|
Updated. |
t8m
added
the
approval: review pending
|
@paulidale still OK? |
mattcaswell
added
approval: done
openssl-machine
added
approval: ready to merge
|
This pull request is ready to merge |
This is as I understand these functions from reading the code. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #17815)
|
Merged to 3.0 and master branches. Thank you. |
This is as I understand these functions from reading the code.