[openssl-users] Is verification supposed to fail with SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT without SSL_CTX_set_client_CA_list?

Jeffrey Walton noloader at gmail.com
Sat Feb 27 21:22:22 UTC 2016


This came up recently on Stack Overflow. The server code specified
SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, but failed to call
SSL_CTX_set_client_CA_list. The connection did not fail as expected.

Looking at the man page for SSL_CTX_set_verify [1] and
SSL_CTX_set_client_CA_list [2] it looks like the connection is
supposed to fail. From [1]:

    SSL_VERIFY_FAIL_IF_NO_PEER_CERT

        Server mode: if the client did not return a certificate,
        the TLS/SSL handshake is immediately terminated
        with a "handshake failure" alert...

Is verification supposed to fail with SSL_VERIFY_PEER |
SSL_VERIFY_FAIL_IF_NO_PEER_CERT regardless of the interactions with
SSL_CTX_set_client_CA_list? Or is there a hidden dependency on
SSL_CTX_set_client_CA_list?

[1] http://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_verify.html
[2] http://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_client_CA_list.html


More information about the openssl-users mailing list