From dfb39f73132edf56daaad189e6791d1bdb57c4db Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tomas@openssl.org>
Date: Mon, 7 Mar 2022 15:46:58 +0100
Subject: Replace handling of negative verification result with
 SSL_set_retry_verify()

Provide a different mechanism to indicate that the application wants
to retry the verification. The negative result of the callback function
now indicates an error again.

Instead the SSL_set_retry_verify() can be called from the callback
to indicate that the handshake should be suspended.

Fixes #17568

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17825)
---
 CHANGES.md | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'CHANGES.md')

diff --git a/CHANGES.md b/CHANGES.md
index c7e3391d4b..eb6174966f 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -123,6 +123,12 @@ breaking changes, and mappings for the large list of deprecated functions.
 
    *Paul Dale*
 
+ * The negative return value handling of the certificate verification callback
+   was reverted. The replacement is to set the verification retry state with
+   the SSL_set_retry_verify() function.
+
+   *Tomáš Mráz*
+
 ### Changes between 3.0.0 and 3.0.1 [14 dec 2021]
 
  * Fixed invalid handling of X509_verify_cert() internal errors in libssl
-- 
cgit v1.2.3