From 43341433a88a6a2cd38c35359f48653e809b10cd Mon Sep 17 00:00:00 2001 From: Viktor Dukhovni Date: Thu, 7 Apr 2016 14:17:37 -0400 Subject: Suppress CT callback as appropriate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Suppress CT callbacks with aNULL or PSK ciphersuites that involve no certificates. Ditto when the certificate chain is validated via DANE-TA(2) or DANE-EE(3) TLSA records. Also skip SCT processing when the chain is fails verification. Move and consolidate CT callbacks from libcrypto to libssl. We also simplify the interface to SSL_{,CTX_}_enable_ct() which can specify either a permissive mode that just collects information or a strict mode that requires at least one valid SCT or else asks to abort the connection. Simplified SCT processing and options in s_client(1) which now has just a simple pair of "-noct" vs. "-ct" options, the latter enables the permissive callback so that we can complete the handshake and report all relevant information. When printing SCTs, print the validation status if set and not valid. Signed-off-by: Rob Percival Reviewed-by: Emilia Käsper --- ssl/ssl_locl.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'ssl/ssl_locl.h') diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 4a2b52d19e..8c8876c88e 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -816,7 +816,7 @@ struct ssl_ctx_st { * Validates that the SCTs (Signed Certificate Timestamps) are sufficient. * If they are not, the connection should be aborted. */ - ct_validation_cb ct_validation_callback; + ssl_ct_validation_cb ct_validation_callback; void *ct_validation_callback_arg; # endif @@ -1123,7 +1123,7 @@ struct ssl_st { * Validates that the SCTs (Signed Certificate Timestamps) are sufficient. * If they are not, the connection should be aborted. */ - ct_validation_cb ct_validation_callback; + ssl_ct_validation_cb ct_validation_callback; /* User-supplied argument tha tis passed to the ct_validation_callback */ void *ct_validation_callback_arg; /* -- cgit v1.2.3