mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2024-12-09 05:51:54 +08:00
Code Issues Packages Projects Releases Wiki Activity
c8e2f98c97
openssl/doc
History
Matt Caswell c8e2f98c97 Partial revert of "Fix client verify mode to check SSL_VERIFY_PEER" 
This partially reverts commit c636c1c47. It also tweaks the documentation
and comments in this area. On the client side the documented interface for
SSL_CTX_set_verify()/SSL_set_verify() is that setting the flag
SSL_VERIFY_PEER causes verfication of the server certificate to take place.
Previously what was implemented was that if *any* flag was set then
verification would take place. The above commit improved the semantics to
be as per the documented interface.

However, we have had a report of at least one application where an
application was incorrectly using the interface and used *only*
SSL_VERIFY_FAIL_IF_NO_PEER_CERT on the client side. In OpenSSL prior to
the above commit this still caused verification of the server certificate
to take place. After this commit the application silently failed to verify
the server certificate.

Ideally SSL_CTX_set_verify()/SSL_set_verify() could be modified to indicate
if invalid flags were being used. However these are void functions!

The simplest short term solution is to revert to the previous behaviour
which at least means we "fail closed" rather than "fail open".

Thanks to Cory Benfield for reporting this issue.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-11-07 16:02:50 +00:00
..
HOWTO Update the example in proxy_certificates.txt 2016-07-26 09:43:21 +02:00
man1 Add the SSL_METHOD for TLSv1.3 and all other base changes required 2016-11-02 13:08:21 +00:00
man3 Partial revert of "Fix client verify mode to check SSL_VERIFY_PEER" 2016-11-07 16:02:50 +00:00
man5 Move manpages to man[1357] structure. 2016-10-26 13:59:52 -04:00
man7 Document the newly added SSL functions 2016-11-04 12:09:46 +00:00
dir-locals.example.el Adjust the general fill-column in doc/dir-locals.example.el 2015-09-08 00:59:50 +02:00
fingerprints.txt RT3802: Fixes typos in doc/crypto/ 2015-05-03 08:51:23 -04:00
openssl-c-indent.el Correct another batch of typos 2016-03-22 21:57:26 -04:00
README Move manpages to man[1357] structure. 2016-10-26 13:59:52 -04:00

README 

README  This file

fingerprints.txt
        PGP fingerprints of authoried release signers

standards.txt
        Moved to the web, https://www.openssl.org/docs/standards.html

HOWTO/
        A few how-to documents; not necessarily up-to-date

man1/
        The openssl command-line tools; start with openssl.pod

man3/
        The SSL library and the crypto library

man5/
        File formats

man7/
        Overviews; start with crypto.pod and ssl.pod, for example

Formatted versions of the manpages (apps,ssl,crypto) can be found at
        https://www.openssl.org/docs/manpages.html