[openssl-users] Is verification supposed to fail with SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT without SSL_CTX_set_client_CA_list?
noloader at gmail.com
Sat Feb 27 21:22:22 UTC 2016
This came up recently on Stack Overflow. The server code specified
SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, but failed to call
SSL_CTX_set_client_CA_list. The connection did not fail as expected.
Looking at the man page for SSL_CTX_set_verify  and
SSL_CTX_set_client_CA_list  it looks like the connection is
supposed to fail. From :
Server mode: if the client did not return a certificate,
the TLS/SSL handshake is immediately terminated
with a "handshake failure" alert...
Is verification supposed to fail with SSL_VERIFY_PEER |
SSL_VERIFY_FAIL_IF_NO_PEER_CERT regardless of the interactions with
SSL_CTX_set_client_CA_list? Or is there a hidden dependency on
More information about the openssl-users