diff options
| -rw-r--r-- | doc/ssl/SSL_CTX_add1_chain_cert.pod | 12 | ||||
| -rw-r--r-- | ssl/ssl.h | 2 | ||||
| -rw-r--r-- | ssl/ssl_cert.c | 7 |
3 files changed, 18 insertions, 3 deletions
diff --git a/doc/ssl/SSL_CTX_add1_chain_cert.pod b/doc/ssl/SSL_CTX_add1_chain_cert.pod index b508a342a5..786f31e4f6 100644 --- a/doc/ssl/SSL_CTX_add1_chain_cert.pod +++ b/doc/ssl/SSL_CTX_add1_chain_cert.pod @@ -60,7 +60,9 @@ existing chain certificates as untrusted CAs, B<SSL_BUILD_CHAIN_FLAG_NO_ROOT> to omit the root CA from the built chain, B<SSL_BUILD_CHAIN_FLAG_CHECK> to use all existing chain certificates only to build the chain (effectively sanity checking and rearranging them if necessary), the flag -B<SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR> ignores any errors during verification. +B<SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR> ignores any errors during verification: +if flag B<SSL_BUILD_CHAIN_FLAG_CLEAR_ERROR> is also set verification errors +are cleared from the error queue. Each of these functions operates on the I<current> end entity (i.e. server or client) certificate. This is the last certificate loaded or @@ -113,6 +115,10 @@ For example an application can add any set of certificates using SSL_CTX_use_certificate_chain_file() then call SSL_CTX_build_cert_chain() with the option B<SSL_BUILD_CHAIN_FLAG_CHECK> to check and reorder them. +Applications can issue non fatal warnings when checking chains by setting +the flag B<SSL_BUILD_CHAIN_FLAG_IGNORE_ERRORS> and checking the return +value. + Calling SSL_CTX_build_cert_chain() or SSL_build_cert_chain() is more efficient than the automatic chain building as it is only performed once. Automatic chain building is performed on each new session. @@ -126,6 +132,10 @@ SSL_set_current_cert() with B<SSL_CERT_SET_SERVER> return 1 for success, 2 if no server certificate is used because the ciphersuites is anonymous and 0 for failure. +SSL_CTX_build_cert_chain() and SSL_build_cert_chain() return 1 for success +and 0 for failure. If the flag B<SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR> and +a verification error occurs then 2 is returned. + All other functions return 1 for success and 0 for failure. =head1 SEE ALSO @@ -791,6 +791,8 @@ struct ssl_session_st #define SSL_BUILD_CHAIN_FLAG_CHECK 0x4 /* Ignore verification errors */ #define SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR 0x8 +/* Clear verification errors from queue */ +#define SSL_BUILD_CHAIN_FLAG_CLEAR_ERROR 0x10 /* Flags returned by SSL_check_chain */ /* Certificate can be used with this session */ diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index 09ea611d8a..3ad0f8bca3 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -1247,8 +1247,10 @@ int ssl_build_cert_chain(CERT *c, X509_STORE *chain_store, int flags) i = X509_verify_cert(&xs_ctx); if (i <= 0 && flags & SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR) { - ERR_clear_error(); + if (flags & SSL_BUILD_CHAIN_FLAG_CLEAR_ERROR) + ERR_clear_error(); i = 1; + rv = 2; } if (i > 0) chain = X509_STORE_CTX_get1_chain(&xs_ctx); @@ -1283,7 +1285,8 @@ int ssl_build_cert_chain(CERT *c, X509_STORE *chain_store, int flags) } } cpk->chain = chain; - rv = 1; + if (rv == 0) + rv = 1; err: if (flags & SSL_BUILD_CHAIN_FLAG_CHECK) X509_STORE_free(chain_store); |