Call OCSP Stapling callback after ciphersuite has been chosen, so the

right response is stapled. Also change SSL_get_certificate() so it returns the certificate actually sent. See http://rt.openssl.org/Ticket/Display.html?id=2836.
author: Ben Laurie <ben@openssl.org> 2012-09-17 14:39:38 +0000
committer: Ben Laurie <ben@openssl.org> 2012-09-17 14:39:38 +0000
commit: 70d91d60bc68ade5d12cc9de6c9f3f10f319a5c5 (patch)
tree: 6f7f99154ad449ad5391d728723a21c7aa3f1cd1 /ssl/s3_srvr.c
parent: bc788830173a10023f567f959e434f74eceff694 (diff)
1 files changed, 11 insertions, 1 deletions
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 38e1281db2..5e1007077f 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -1183,7 +1183,7 @@ int ssl3_get_client_hello(SSL *s)
 			goto f_err;
 			}
 		}
-		if (ssl_check_clienthello_tlsext(s) <= 0) {
+		if (ssl_check_clienthello_tlsext_early(s) <= 0) {
 			SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT);
 			goto err;
 		}
@@ -1405,6 +1405,16 @@ int ssl3_get_client_hello(SSL *s)
 	 * s->tmp.new_cipher	- the new cipher to use.
 	 */
 
+	/* Handles TLS extensions that we couldn't check earlier */
+	if (s->version >= SSL3_VERSION)
+		{
+		if (ssl_check_clienthello_tlsext_late(s) <= 0)
+			{
+			SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT);
+			goto err;
+			}
+		}
+
 	if (ret < 0) ret=1;
 	if (0)
 		{
author	Ben Laurie <ben@openssl.org>	2012-09-17 14:39:38 +0000
committer	Ben Laurie <ben@openssl.org>	2012-09-17 14:39:38 +0000
commit	70d91d60bc68ade5d12cc9de6c9f3f10f319a5c5 (patch)
tree	6f7f99154ad449ad5391d728723a21c7aa3f1cd1 /ssl/s3_srvr.c
parent	bc788830173a10023f567f959e434f74eceff694 (diff)