[openssl-users] SSL_GET_SERVER_CERT_INDEX:internal error

Viktor Dukhovni openssl-users at dukhovni.org
Fri Dec 21 17:43:55 UTC 2018


On Fri, Dec 21, 2018 at 11:20:43AM -0500, Viktor Dukhovni wrote:

> Which naturally does not map to any kind of certificate.  While TLS
> 1.2 still lives and is still capable of aNULL ciphersuites, it might
> make sense to add a line of code to detect that condition, and not
> push anything onto the error stack...

Perhaps this patch is too late for 1.0.2, which is on its last year
of support, and so likely gets security fixes only, but here it is
for the record:

--- ssl/ssl_lib.c
+++ ssl/ssl_lib.c
@@ -2540,8 +2540,13 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
 
 static int ssl_get_server_cert_index(const SSL *s)
 {
+    const SSL_CIPHER *c = s->s3->tmp.new_cipher;
     int idx;
-    idx = ssl_cipher_get_cert_index(s->s3->tmp.new_cipher);
+
+    /* Certificate-less ciphers don't have a cert index, and that's OK */
+    if (c->algorithm_auth & (SSL_aNULL | SSL_aPSK | SSL_aSRP))
+        return -1;
+    idx = ssl_cipher_get_cert_index(c);
     if (idx == SSL_PKEY_RSA_ENC && !s->cert->pkeys[SSL_PKEY_RSA_ENC].x509)
         idx = SSL_PKEY_RSA_SIGN;
     if (idx == -1)

It avoids needlessly generating the "error" you reported.

-- 
	Viktor.


More information about the openssl-users mailing list