[openssl-users] Is verification supposed to fail with SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT without SSL_CTX_set_client_CA_list?
Michel
michel.sales at free.fr
Sat Feb 27 22:41:57 UTC 2016
Really ?
As your post alarmed me, I tried my tests programs again and didn't noticed
anything wrong.
I have a server code whose context is configured with SSL_VERIFY_PEER |
SSL_VERIFY_FAIL_IF_NO_PEER_CERT and which do not call
SSL_CTX_set_client_CA_list().
In this case, handshake is failing as expected when clients didn't send a
certificate.
OpenSSL Windows 32 bits version 1.1 from git repo yesterday.
-----Message d'origine-----
De : openssl-users [mailto:openssl-users-bounces at openssl.org] De la part de
Jeffrey Walton
Envoyé : samedi 27 février 2016 22:22
À : OpenSSL Users List
Objet : [openssl-users] Is verification supposed to fail with
SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT without
SSL_CTX_set_client_CA_list?
This came up recently on Stack Overflow. The server code specified
SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, but failed to call
SSL_CTX_set_client_CA_list. The connection did not fail as expected.
Looking at the man page for SSL_CTX_set_verify [1] and
SSL_CTX_set_client_CA_list [2] it looks like the connection is supposed to
fail. From [1]:
SSL_VERIFY_FAIL_IF_NO_PEER_CERT
Server mode: if the client did not return a certificate,
the TLS/SSL handshake is immediately terminated
with a "handshake failure" alert...
Is verification supposed to fail with SSL_VERIFY_PEER |
SSL_VERIFY_FAIL_IF_NO_PEER_CERT regardless of the interactions with
SSL_CTX_set_client_CA_list? Or is there a hidden dependency on
SSL_CTX_set_client_CA_list?
More information about the openssl-users
mailing list