openssl/ssl
Matt Caswell c8e2f98c97 Partial revert of "Fix client verify mode to check SSL_VERIFY_PEER"
This partially reverts commit c636c1c47. It also tweaks the documentation
and comments in this area. On the client side the documented interface for
SSL_CTX_set_verify()/SSL_set_verify() is that setting the flag
SSL_VERIFY_PEER causes verfication of the server certificate to take place.
Previously what was implemented was that if *any* flag was set then
verification would take place. The above commit improved the semantics to
be as per the documented interface.

However, we have had a report of at least one application where an
application was incorrectly using the interface and used *only*
SSL_VERIFY_FAIL_IF_NO_PEER_CERT on the client side. In OpenSSL prior to
the above commit this still caused verification of the server certificate
to take place. After this commit the application silently failed to verify
the server certificate.

Ideally SSL_CTX_set_verify()/SSL_set_verify() could be modified to indicate
if invalid flags were being used. However these are void functions!

The simplest short term solution is to revert to the previous behaviour
which at least means we "fail closed" rather than "fail open".

Thanks to Cory Benfield for reporting this issue.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-11-07 16:02:50 +00:00
..
record Ignore the record version in TLS1.3 2016-11-07 15:52:33 +00:00
statem Partial revert of "Fix client verify mode to check SSL_VERIFY_PEER" 2016-11-07 16:02:50 +00:00
bio_ssl.c Test the size_t constant time functions 2016-11-04 12:09:46 +00:00
build.info First pass at writing a writeable packets API 2016-09-13 09:41:21 +01:00
d1_lib.c Add some PACKET functions for size_t 2016-11-04 12:09:46 +00:00
d1_msg.c Convert libssl writing for size_t 2016-11-04 12:09:45 +00:00
d1_srtp.c Fix some missed size_t updates 2016-11-04 12:09:45 +00:00
methods.c Add the SSL_METHOD for TLSv1.3 and all other base changes required 2016-11-02 13:08:21 +00:00
packet_locl.h Fix some style issues from libssl size_tify review 2016-11-04 12:09:46 +00:00
packet.c Remove trailing whitespace from some files. 2016-10-10 23:36:21 +01:00
pqueue.c Fix a missed size_t variable declaration 2016-11-04 12:09:46 +00:00
s3_cbc.c Provide some constant time functions for dealing with size_t values 2016-11-04 12:09:46 +00:00
s3_enc.c Fix misc size_t issues causing Windows warnings in 64 bit 2016-11-04 12:09:46 +00:00
s3_lib.c Rename all "read" variables with "readbytes" 2016-11-04 12:09:46 +00:00
s3_msg.c Fix some missed size_t updates 2016-11-04 12:09:45 +00:00
ssl_asn1.c Fix misc size_t issues causing Windows warnings in 64 bit 2016-11-04 12:09:46 +00:00
ssl_cert.c Style tweaks following review feedback 2016-09-20 10:16:56 +01:00
ssl_ciph.c Fix misc size_t issues causing Windows warnings in 64 bit 2016-11-04 12:09:46 +00:00
ssl_conf.c Add the SSL_METHOD for TLSv1.3 and all other base changes required 2016-11-02 13:08:21 +00:00
ssl_err.c Convert libssl writing for size_t 2016-11-04 12:09:45 +00:00
ssl_init.c Indent ssl/ 2016-08-18 14:02:29 +02:00
ssl_lib.c Rename all "read" variables with "readbytes" 2016-11-04 12:09:46 +00:00
ssl_locl.h Rename all "read" variables with "readbytes" 2016-11-04 12:09:46 +00:00
ssl_mcnf.c Fix misc size_t issues causing Windows warnings in 64 bit 2016-11-04 12:09:46 +00:00
ssl_rsa.c Indent ssl/ 2016-08-18 14:02:29 +02:00
ssl_sess.c Fix misc size_t issues causing Windows warnings in 64 bit 2016-11-04 12:09:46 +00:00
ssl_stat.c Add missing debug strings. 2016-09-07 16:08:38 -04:00
ssl_txt.c Fix misc size_t issues causing Windows warnings in 64 bit 2016-11-04 12:09:46 +00:00
ssl_utst.c Copyright consolidation 01/10 2016-05-17 14:19:19 -04:00
t1_enc.c Ensure SSL_DEBUG works following size_t changes 2016-11-04 12:09:46 +00:00
t1_ext.c Delete some unneeded code 2016-09-29 10:06:46 +01:00
t1_lib.c Fix misc size_t issues causing Windows warnings in 64 bit 2016-11-04 12:09:46 +00:00
t1_reneg.c Fix misc size_t issues causing Windows warnings in 64 bit 2016-11-04 12:09:46 +00:00
t1_trce.c Correct the Id for the TLS1.3 ciphersuite 2016-11-07 15:47:22 +00:00
tls_srp.c Indent ssl/ 2016-08-18 14:02:29 +02:00