Use X509_digest() instead of memcpy() to obtain cert fingerprint
This will continue to work even if the OpenSSL developers make the X509* structure opaque, the current approach will not.
This commit is contained in:
parent
7dade6a811
commit
d3806d0503
1 changed files with 3 additions and 1 deletions
|
@ -33,6 +33,7 @@
|
||||||
#include <openssl/ssl.h>
|
#include <openssl/ssl.h>
|
||||||
#include <openssl/dh.h>
|
#include <openssl/dh.h>
|
||||||
#include <openssl/err.h>
|
#include <openssl/err.h>
|
||||||
|
#include <openssl/evp.h>
|
||||||
#include <openssl/rand.h>
|
#include <openssl/rand.h>
|
||||||
|
|
||||||
static SSL_CTX *ssl_server_ctx;
|
static SSL_CTX *ssl_server_ctx;
|
||||||
|
@ -666,7 +667,8 @@ rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN])
|
||||||
res == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE ||
|
res == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE ||
|
||||||
res == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)
|
res == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)
|
||||||
{
|
{
|
||||||
memcpy(certfp, cert->sha1_hash, RB_SSL_CERTFP_LEN);
|
unsigned int certfp_length = RB_SSL_CERTFP_LEN;
|
||||||
|
X509_digest(cert, EVP_sha1(), certfp, &certfp_length);
|
||||||
X509_free(cert);
|
X509_free(cert);
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue