[openssl-commits] [openssl] master update
Matt Caswell
matt at openssl.org
Thu Feb 14 17:22:07 UTC 2019
The branch master has been updated
via 78021171dbcb05ddab1b5daffbfc62504ea709a4 (commit)
from 4af5836b55442f31795eff6c8c81ea7a1b8cf94b (commit)
- Log -----------------------------------------------------------------
commit 78021171dbcb05ddab1b5daffbfc62504ea709a4
Author: Matt Caswell <matt at openssl.org>
Date: Thu Jan 24 12:21:39 2019 +0000
Fix -verify_return_error in s_client
The "verify_return_error" option in s_client is documented as:
Return verification errors instead of continuing. This will typically
abort the handshake with a fatal error.
In practice this option was ignored unless also accompanied with the
"-verify" option. It's unclear what the original intention was. One fix
could have been to change the documentation to match the actual behaviour.
However it seems unecessarily complex and unexpected that you should need
to have both options. Instead the fix implemented here is make the option
match the documentation so that "-verify" is not also required.
Note that s_server has a similar option where "-verify" (or "-Verify") is
still required. This makes more sense because those options additionally
request a certificate from the client. Without a certificate there is no
possibility of a verification failing, and so "-verify_return_error" doing
nothing seems ok.
Fixes #8079
Reviewed-by: Nicola Tuveri <nic.tuv at gmail.com>
(Merged from https://github.com/openssl/openssl/pull/8080)
-----------------------------------------------------------------------
Summary of changes:
apps/s_cb.c | 4 ++--
apps/s_client.c | 1 +
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/apps/s_cb.c b/apps/s_cb.c
index af57c34..705550b 100644
--- a/apps/s_cb.c
+++ b/apps/s_cb.c
@@ -24,7 +24,7 @@
#define COOKIE_SECRET_LENGTH 16
-VERIFY_CB_ARGS verify_args = { 0, 0, X509_V_OK, 0 };
+VERIFY_CB_ARGS verify_args = { -1, 0, X509_V_OK, 0 };
#ifndef OPENSSL_NO_SOCK
static unsigned char cookie_secret[COOKIE_SECRET_LENGTH];
@@ -63,7 +63,7 @@ int verify_callback(int ok, X509_STORE_CTX *ctx)
if (!ok) {
BIO_printf(bio_err, "verify error:num=%d:%s\n", err,
X509_verify_cert_error_string(err));
- if (verify_args.depth >= depth) {
+ if (verify_args.depth < 0 || verify_args.depth >= depth) {
if (!verify_args.return_error)
ok = 1;
verify_args.error = err;
diff --git a/apps/s_client.c b/apps/s_client.c
index 2a8313d..a30dff4 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -1138,6 +1138,7 @@ int s_client_main(int argc, char **argv)
goto opthelp;
break;
case OPT_VERIFY_RET_ERROR:
+ verify = SSL_VERIFY_PEER;
verify_args.return_error = 1;
break;
case OPT_VERIFY_QUIET:
More information about the openssl-commits
mailing list