[openssl-users] Is verification supposed to fail with SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT without SSL_CTX_set_client_CA_list?
Jeffrey Walton
noloader at gmail.com
Sat Feb 27 21:22:22 UTC 2016
This came up recently on Stack Overflow. The server code specified
SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, but failed to call
SSL_CTX_set_client_CA_list. The connection did not fail as expected.
Looking at the man page for SSL_CTX_set_verify [1] and
SSL_CTX_set_client_CA_list [2] it looks like the connection is
supposed to fail. From [1]:
SSL_VERIFY_FAIL_IF_NO_PEER_CERT
Server mode: if the client did not return a certificate,
the TLS/SSL handshake is immediately terminated
with a "handshake failure" alert...
Is verification supposed to fail with SSL_VERIFY_PEER |
SSL_VERIFY_FAIL_IF_NO_PEER_CERT regardless of the interactions with
SSL_CTX_set_client_CA_list? Or is there a hidden dependency on
SSL_CTX_set_client_CA_list?
[1] http://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_verify.html
[2] http://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_client_CA_list.html
More information about the openssl-users
mailing list