diff options
author | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-05-13 00:36:56 -0400 |
---|---|---|
committer | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-05-19 00:25:42 -0400 |
commit | f75b34c8c81d7277fa002120d4c8dc36c39d1ff5 (patch) | |
tree | 118cb3d0ae80b77e3f8e729005ca67bfe3eb5daf /crypto/x509 | |
parent | a5a3722bc185b2baaaa183dcaafaf17b3d07a5fa (diff) |
When strict SCT fails record verification failure
Since with SSL_VERIFY_NONE, the connection may continue and the
session may even be cached, we should save some evidence that the
chain was not sufficiently verified and would have been rejected
with SSL_VERIFY_PEER. To that end when a CT callback returs failure
we set the verify result to X509_V_ERR_NO_VALID_SCTS.
Note: We only run the CT callback in the first place if the verify
result is still X509_V_OK prior to start of the callback.
RT #4502
Reviewed-by: Tim Hudson <tjh@openssl.org>
Diffstat (limited to 'crypto/x509')
-rw-r--r-- | crypto/x509/x509_txt.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/crypto/x509/x509_txt.c b/crypto/x509/x509_txt.c index 5341e79669..ae54de1c31 100644 --- a/crypto/x509/x509_txt.c +++ b/crypto/x509/x509_txt.c @@ -165,6 +165,8 @@ const char *X509_verify_cert_error_string(long n) return ("Invalid certificate verification context"); case X509_V_ERR_STORE_LOOKUP: return ("Issuer certificate lookup error"); + case X509_V_ERR_NO_VALID_SCTS: + return ("Certificate Transparency required, but no valid SCTs found"); default: /* Printing an error number into a static buffer is not thread-safe */ |