[openssl-commits] Errored: openssl/openssl#8045 (OpenSSL_1_0_2-stable - e203f49)

Travis CI builds at travis-ci.org
Mon Jan 23 21:41:24 UTC 2017

Build Update for openssl/openssl

Build: #8045
Status: Errored

Duration: 6 hours, 18 minutes, and 36 seconds
Commit: e203f49 (OpenSSL_1_0_2-stable)
Author: Matt Caswell

The flag SSL_VERIFY_CLIENT_ONCE is documented as follows:

  B<Server mode:> only request a client certificate on the initial TLS/SSL
  handshake. Do not ask for a client certificate again in case of a
  renegotiation. This flag must be used together with SSL_VERIFY_PEER.

  B<Client mode:> ignored

But the implementation actually did nothing. After the server sends its
ServerKeyExchange message, the code was checking s->session->peer to see if
it is NULL. If it was set then it did not ask for another client
certificate. However s->session->peer will only be set in the event of a
resumption, but a ServerKeyExchange message is only sent in the event of a
full handshake (i.e. no resumption).

The documentation suggests that the original intention was for this to
have an effect on renegotiation, and resumption doesn't come into it.

The fix is to properly check for renegotiation, not whether there is already
a client certificate in the session.

As far as I can tell this has been broken for a *long* time.

Reviewed-by: Richard Levitte <levitte at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1984)

View the changeset: https://github.com/openssl/openssl/compare/149e98dc5fe9...e203f493f638

View the full build log and details: https://travis-ci.org/openssl/openssl/builds/194481527


You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-commits/attachments/20170123/10b8d78d/attachment.html>

More information about the openssl-commits mailing list