-
Notifications
You must be signed in to change notification settings - Fork 165
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OpenSSL::SSL::SSLContext#add_certificate, then #cert returns nil #303
Comments
I think It should be possible to read the certificates out of a context. It should behave like a value object. I'm happy to receive your ideas regarding this, but I do think it needs attention. One thing I considered was to expose something like |
Not being able to get the certificate set by OpenSSL::SSL::SSLContext#add_certificate is intentional. This is because OpenSSL::SSL::SSLContext#add_certificate is allowed to be called multiple times on the same SSLContext. Here is an expected use case on a server: rsa_cert = OpenSSL::X509::Certificate.new(...)
rsa_pkey = OpenSSL::PKey.read(...)
rsa_cas = [OpenSSL::X509::Certificate.new(...), ...]
ecc_cert = ...
ecc_pkey = ...
ecc_cas = ...
ctx.add_certificate(rsa_cert, rsa_pkey, rsa_cas)
ctx.add_certificate(ecc_cert, ecc_pkey, ecc_cas) This code adds two sets of (certs, private key) pair to the SSLContext, and either of them will be chosen during the TLS handshake, depending on the request by the client. It's not clear what SSLContext#{cert,key,extra_chain_cert} should return. The document could be written better, instead of just stating "#cert is deprecated." |
This issue is related to behavior of
OpenSSL::SSL::SSLContext#add_certificate(_chain_file)
.When the SSLContext object is called
add_certificate
method, then it would load certificates.In my opinion, it was expected to return a Certificate object (not nil) when being called
cert
method. But the object does not return a Certificate object and returns nil.You can check this if you run the following code.
The object, in a handshake, uses the server certificate object and the private key object that were loaded by
add_certificate
.It is tested by test_add_certificate.
add_certificate_chain_file
method is the same as this.The SSLContext object does not return these objects.
As commented, the
cert
,key
andextra_chain_cert
attributes are deprecated so it is as intended?If so, how do you think to add the note that
cert
(etc) returns nil?The text was updated successfully, but these errors were encountered: