[openssl-users] Is verification supposed to fail with SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT without SSL_CTX_set_client_CA_list?
michel.sales at free.fr
Sat Feb 27 22:41:57 UTC 2016
As your post alarmed me, I tried my tests programs again and didn't noticed
I have a server code whose context is configured with SSL_VERIFY_PEER |
SSL_VERIFY_FAIL_IF_NO_PEER_CERT and which do not call
In this case, handshake is failing as expected when clients didn't send a
OpenSSL Windows 32 bits version 1.1 from git repo yesterday.
De : openssl-users [mailto:openssl-users-bounces at openssl.org] De la part de
Envoyé : samedi 27 février 2016 22:22
À : OpenSSL Users List
Objet : [openssl-users] Is verification supposed to fail with
SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT without
This came up recently on Stack Overflow. The server code specified
SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, but failed to call
SSL_CTX_set_client_CA_list. The connection did not fail as expected.
Looking at the man page for SSL_CTX_set_verify  and
SSL_CTX_set_client_CA_list  it looks like the connection is supposed to
fail. From :
Server mode: if the client did not return a certificate,
the TLS/SSL handshake is immediately terminated
with a "handshake failure" alert...
Is verification supposed to fail with SSL_VERIFY_PEER |
SSL_VERIFY_FAIL_IF_NO_PEER_CERT regardless of the interactions with
SSL_CTX_set_client_CA_list? Or is there a hidden dependency on
More information about the openssl-users