[stunnel-users] public domain [Patch] Support multiple X509 client certificates with same CN

Leon Winter winter at bfw-online.de
Tue Apr 1 12:52:45 CEST 2014


Hi Michal,

thanks for the fast integration.

> Thank you very much.  Could you please test my implementation?
> https://www.stunnel.org/downloads/beta/stunnel-5.01b2.tar.gz

due to other changes in the code like the ui_* refactoring I could not
compile these exact version but in the end I managed to compile a
modified stunnel 5.00 version[1] with your modified src/verify.c which
contains the relevant logic and I can confirm it is working. It
correctly iterates over the set of client certificates with the given CN
and then also correctly identifies a matching one.

> It should be thread-safe, as X509_STORE_get1_certs() synchronizes
> X509_STORE operations with CRYPTO_LOCK_X509_STORE locks.
> It also doesn't use any pointers to internal OpenSSL data structures, so
> it should be able to survive updates of the OpenSSL shared libraries.

As I am not very familiar with the OpenSSL API I cannot comment on that,
however not using the lowlevel interfaces certainly is cleaner and the
way to go. However this way only more current versions of stunnel with a
recent OpenSSL version will support this functionality while using the
other 'non-clean' way would also add support for users with older
OpenSSL versions. Since I have the latest version of OpenSSL I am
perfectly fine with the change though ;)

One minor note, in line 291 of verify.c is a blank at the EOL, but since
this was just a beta release you might clean up the code later before
the actual release.

Best regards,
Leon Winter

[1]
http://anonscm.debian.org/gitweb/?p=collab-maint/stunnel.git;a=summary



More information about the stunnel-users mailing list