Call OCSP Stapling callback after ciphersuite has been chosen, so the

right response is stapled. Also change SSL_get_certificate() so it returns the certificate actually sent. See http://rt.openssl.org/Ticket/Display.html?id=2836.
2012-09-11 12:57:46 +00:00
parent 147d4c96b0
commit 2daceb0342
5 changed files with 87 additions and 39 deletions
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -1432,6 +1432,16 @@ int ssl3_get_client_hello(SSL *s)
 	 * s->tmp.new_cipher	- the new cipher to use.
 	 */

+	/* Handles TLS extensions that we couldn't check earlier */
+	if (s->version >= SSL3_VERSION)
+		{
+		if (ssl_check_clienthello_tlsext_late(s) <= 0)
+			{
+			SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT);
+			goto err;
+			}
+		}
+
 	if (ret < 0) ret=1;
 	if (0)
 		{