[PATCH] ignore duplicate OpenSSL client cert and private key addition

Dan Williams dcbw
Tue Jan 15 11:54:23 PST 2008

On Sun, 2008-01-13 at 08:43 -0800, Jouni Malinen wrote:
> On Sun, Jan 13, 2008 at 01:43:55AM -0500, Dan Williams wrote:
> > Ignore duplicate certificate addition errors for client certificates and
> > private keys too, as is done for CA certs.  Applies to both 0.6.x and
> > 0.5.x.
> How can you trigger this? CA certificates are added to SSL_CTX which is
> maintained over connections, but client certificates and private keys
> are added to SSL which is re-initialized for every connection (apart
> from session resumption, but that does not load the key/cert anyway).
> There's one exception to this in PKCS#12 handling where additional
> certificates are added to the chain. Those are added to the SSL_CTX
> since I'm not aware of OpenSSL functionality to add them into SSL. This
> could show the cert already known errors. However, the patch here did
> not touch that functionality.

Will test again and see when I get back into the office on Wednesday.  I
patched this because I'm pretty sure I saw the duplicate certificate
error (adding blobs via the D-Bus control interface with a patch I've
yet to post).  However, looking at the code I can see your point.  I'll
have to go back and dig a bit more to see if this is still a problem
without the patch in 0.5.9 and if so get a callstack for you.


More information about the Hostap mailing list