diff options
author | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-04-02 16:47:48 -0400 |
---|---|---|
committer | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-04-07 14:41:34 -0400 |
commit | c636c1c470fd2b4b0cb546e6ee85971375e42ec1 (patch) | |
tree | 68c9a306d606ae2bae3a77ee677999209ccdd7b4 /doc/ssl | |
parent | 6afef8b1fb679df7d6a8606d713192c9907b1890 (diff) |
Fix client verify mode to check SSL_VERIFY_PEER
The original check for != SSL_VERIFY_NONE can give surprising results
when flags SSL_VERIFY_PEER is not set, but other flags are. Note
that SSL_VERIFY_NONE (0) is not a flag bit, it is rather the absense
of all other flag bits.
Signed-off-by: Rob Percival <robpercival@google.com>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Diffstat (limited to 'doc/ssl')
-rw-r--r-- | doc/ssl/SSL_CTX_set_verify.pod | 15 |
1 files changed, 1 insertions, 14 deletions
diff --git a/doc/ssl/SSL_CTX_set_verify.pod b/doc/ssl/SSL_CTX_set_verify.pod index 5da4166949..d60bb6a3ed 100644 --- a/doc/ssl/SSL_CTX_set_verify.pod +++ b/doc/ssl/SSL_CTX_set_verify.pod @@ -89,8 +89,7 @@ B<Client mode:> ignored =back -Exactly one of the B<mode> flags SSL_VERIFY_NONE and SSL_VERIFY_PEER must be -set at any time. +If the B<mode> is SSL_VERIFY_NONE none of the other flags may be set. The actual verification procedure is performed either using the built-in verification procedure or using another application provided verification @@ -146,18 +145,6 @@ Its return value is identical to B<preverify_ok>, so that any verification failure will lead to a termination of the TLS/SSL handshake with an alert message, if SSL_VERIFY_PEER is set. -=head1 BUGS - -In client mode, it is not checked whether the SSL_VERIFY_PEER flag -is set, but whether SSL_VERIFY_NONE is not set. This can lead to -unexpected behaviour, if the SSL_VERIFY_PEER and SSL_VERIFY_NONE are not -used as required (exactly one must be set at any time). - -The certificate verification depth set with SSL[_CTX]_verify_depth() -stops the verification at a certain depth. The error message produced -will be that of an incomplete certificate chain and not -X509_V_ERR_CERT_CHAIN_TOO_LONG as may be expected. - =head1 RETURN VALUES The SSL*_set_verify*() functions do not provide diagnostic information. |