Copy negotiated parameters in SSL_set_SSL_CTX.

SSL_set_SSL_CTX is used to change the SSL_CTX for SNI, keep the supported signature algorithms and raw cipherlist. Reviewed-by: Tim Hudson <tjh@openssl.org> (cherry picked from commit 14e14bf6964965d02ce89805d9de867f000095aa)
author: Dr. Stephen Henson <steve@openssl.org> 2014-10-09 00:23:34 +0100
committer: Dr. Stephen Henson <steve@openssl.org> 2014-10-24 14:01:01 +0100
commit: 1ce95f19601bbc6bfd24092c76c8f8105124e857 (patch)
tree: d388297b53b43083922c4d71a2919188a699552c
parent: 51695b98f128f8e091256c601266b1dd4fb731bd (diff)
1 files changed, 15 insertions, 2 deletions
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index e336a56dbe..22a210e90f 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -3184,15 +3184,28 @@ SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl)
 
 SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX* ctx)
 	{
+	CERT *ocert = ssl->cert;
 	if (ssl->ctx == ctx)
 		return ssl->ctx;
 #ifndef OPENSSL_NO_TLSEXT
 	if (ctx == NULL)
 		ctx = ssl->initial_ctx;
 #endif
-	if (ssl->cert != NULL)
-		ssl_cert_free(ssl->cert);
 	ssl->cert = ssl_cert_dup(ctx->cert);
+	if (ocert)
+		{
+		/* Preserve any already negotiated parameters */
+		if (ssl->server)
+			{
+			ssl->cert->peer_sigalgs = ocert->peer_sigalgs;
+			ssl->cert->peer_sigalgslen = ocert->peer_sigalgslen;
+			ocert->peer_sigalgs = NULL;
+			ssl->cert->ciphers_raw = ocert->ciphers_raw;
+			ssl->cert->ciphers_rawlen = ocert->ciphers_rawlen;
+			ocert->ciphers_raw = NULL;
+			}
+		ssl_cert_free(ocert);
+		}
 	CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX);
 	if (ssl->ctx != NULL)
 		SSL_CTX_free(ssl->ctx); /* decrement reference count */
author	Dr. Stephen Henson <steve@openssl.org>	2014-10-09 00:23:34 +0100
committer	Dr. Stephen Henson <steve@openssl.org>	2014-10-24 14:01:01 +0100
commit	1ce95f19601bbc6bfd24092c76c8f8105124e857 (patch)
tree	d388297b53b43083922c4d71a2919188a699552c
parent	51695b98f128f8e091256c601266b1dd4fb731bd (diff)