-
-
Notifications
You must be signed in to change notification settings - Fork 9.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add manpages for SSL_get_certificate, SSL_get_privatekey #17815
Conversation
This is as I understand these functions from reading the code.
doc/man3/SSL_get_certificate.pod
Outdated
certificate which represents the local peer's identity. For servers, it returns | ||
the server's certificate. If a server has multiple certificates (for different | ||
algorithms, for example RSA and ECDSA), the certificate in actual use is | ||
returned. For clients, it returns the client certificate being used, if any. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think this isn't quite correct. Before the handshake it returns the last certificate that was added to the SSL/SSL_CTX or NULL if none were added yet. During the handshake it selects a certificate to use for the connection and from that point on it returns the selected certificate.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I still don't think this is quite right. I would merge the text you added under RETURN VALUES into this text. The text about "multiple certificates" at the moment is quite misleading in the case where it is called before the handshake. Perhaps adding something like "or the most recently added certificate if called before a certificate has been selected". Or something like that.
How's this? |
doc/man3/SSL_get_certificate.pod
Outdated
certificate which represents the local peer's identity. For servers, it returns | ||
the server's certificate. If a server has multiple certificates (for different | ||
algorithms, for example RSA and ECDSA), the certificate in actual use is | ||
returned. For clients, it returns the client certificate being used, if any. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I still don't think this is quite right. I would merge the text you added under RETURN VALUES into this text. The text about "multiple certificates" at the moment is quite misleading in the case where it is called before the handshake. Perhaps adding something like "or the most recently added certificate if called before a certificate has been selected". Or something like that.
doc/man3/SSL_get_certificate.pod
Outdated
object is available. Before the handshake has completed, the certificate | ||
returned is the one most recently added to the SSL object, or NULL if no | ||
certificate has yet been added. After the handshake has completed, the | ||
certificate returned is the one which was selected during the handshake. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd keep this more about about error conditions etc, e.g. "SSL_get_certifciate() returns a pointer to the certificate or a NULL if there is no certificate"
Updated again. |
doc/man3/SSL_get_certificate.pod
Outdated
=item | ||
|
||
If it is called before the handshake has completed, it returns the most recently | ||
added certificate, or NULL if no certificate has been added. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Strictly speaking the certificate selection happens during the handshake. This distinction is important in the case of callbacks that occur during the handshake (such as the tlsext_status_cb). So, the tlsext_statuc_cb will get the selected certificate (which is not necessarily the most recently added one) even though the handshake has not been completed yet.
Updated. |
Updated. |
…te, SSL_get_private_key
Updated. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Still approved (of course).
The CI failure is relevant. Please fix. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good apart from the nit (which is causing the CI failure)
…rtificate, SSL_get_private_key
Updated. |
@paulidale still OK? |
This pull request is ready to merge |
This is as I understand these functions from reading the code. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #17815)
Merged to 3.0 and master branches. Thank you. |
This is as I understand these functions from reading the code.