Hi Everyone,

Re: https://cwe.mitre.org/data/definitions/295.html . The code in Example 2:

    The following OpenSSL code obtains a certificate and verifies it.

    cert = SSL_get_peer_certificate(ssl);
    if (cert && (SSL_get_verify_result(ssl)==X509_V_OK)) {
        // do secret things

The sharp edge is here (and used throughout the examples):

    cert = SSL_get_peer_certificate(ssl);

I think it would be a good idea to point out for readers that
SSL_get_peer_certificate(...) can return NULL _if_ Anonymous
Diffie-Hellman (or  Anonymous ECDH) is used. That's because a server
does not send a certificate (even if one is available) when ADH is
used. And clearly state ADH should not be used in cipher suites
because it is equivalent to sending a certificate but not validating
that certificate.

I prefer something like this to make a missing certificate an explicit error:

    cert = SSL_get_peer_certificate(ssl);
    if (cert == NULL) {
        /* No certificate. ADH? Reject the connection. */
        return error;
    if (SSL_get_verify_result(ssl) != X509_V_OK) {
        /* Validation failed. */
        return error;
    /* Do secret things */

    /* Decrement the reference count. */


Reply via email to