summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMatt Caswell <matt@openssl.org>2019-01-24 13:21:39 +0100
committerMatt Caswell <matt@openssl.org>2019-02-14 18:07:57 +0100
commit78021171dbcb05ddab1b5daffbfc62504ea709a4 (patch)
treec6c683be1d8ef21eb16b3c0068ed9d00d031f6cd
parentDon't signal SSL_CB_HANDSHAKE_START for TLSv1.3 post-handshake messages (diff)
downloadopenssl-78021171dbcb05ddab1b5daffbfc62504ea709a4.tar.xz
openssl-78021171dbcb05ddab1b5daffbfc62504ea709a4.zip
Fix -verify_return_error in s_client
The "verify_return_error" option in s_client is documented as: Return verification errors instead of continuing. This will typically abort the handshake with a fatal error. In practice this option was ignored unless also accompanied with the "-verify" option. It's unclear what the original intention was. One fix could have been to change the documentation to match the actual behaviour. However it seems unecessarily complex and unexpected that you should need to have both options. Instead the fix implemented here is make the option match the documentation so that "-verify" is not also required. Note that s_server has a similar option where "-verify" (or "-Verify") is still required. This makes more sense because those options additionally request a certificate from the client. Without a certificate there is no possibility of a verification failing, and so "-verify_return_error" doing nothing seems ok. Fixes #8079 Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/8080)
-rw-r--r--apps/s_cb.c4
-rw-r--r--apps/s_client.c1
2 files changed, 3 insertions, 2 deletions
diff --git a/apps/s_cb.c b/apps/s_cb.c
index af57c34558..705550b676 100644
--- a/apps/s_cb.c
+++ b/apps/s_cb.c
@@ -24,7 +24,7 @@
#define COOKIE_SECRET_LENGTH 16
-VERIFY_CB_ARGS verify_args = { 0, 0, X509_V_OK, 0 };
+VERIFY_CB_ARGS verify_args = { -1, 0, X509_V_OK, 0 };
#ifndef OPENSSL_NO_SOCK
static unsigned char cookie_secret[COOKIE_SECRET_LENGTH];
@@ -63,7 +63,7 @@ int verify_callback(int ok, X509_STORE_CTX *ctx)
if (!ok) {
BIO_printf(bio_err, "verify error:num=%d:%s\n", err,
X509_verify_cert_error_string(err));
- if (verify_args.depth >= depth) {
+ if (verify_args.depth < 0 || verify_args.depth >= depth) {
if (!verify_args.return_error)
ok = 1;
verify_args.error = err;
diff --git a/apps/s_client.c b/apps/s_client.c
index 2a8313d7f4..a30dff44cf 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -1138,6 +1138,7 @@ int s_client_main(int argc, char **argv)
goto opthelp;
break;
case OPT_VERIFY_RET_ERROR:
+ verify = SSL_VERIFY_PEER;
verify_args.return_error = 1;
break;
case OPT_VERIFY_QUIET: