Hi Everyone, Re: https://cwe.mitre.org/data/definitions/295.html . The code in Example 2:
<QUOTE> The following OpenSSL code obtains a certificate and verifies it. cert = SSL_get_peer_certificate(ssl); if (cert && (SSL_get_verify_result(ssl)==X509_V_OK)) { // do secret things } </QUOTE> The sharp edge is here (and used throughout the examples): cert = SSL_get_peer_certificate(ssl); I think it would be a good idea to point out for readers that SSL_get_peer_certificate(...) can return NULL _if_ Anonymous Diffie-Hellman (or Anonymous ECDH) is used. That's because a server does not send a certificate (even if one is available) when ADH is used. And clearly state ADH should not be used in cipher suites because it is equivalent to sending a certificate but not validating that certificate. I prefer something like this to make a missing certificate an explicit error: cert = SSL_get_peer_certificate(ssl); if (cert == NULL) { /* No certificate. ADH? Reject the connection. */ return error; } if (SSL_get_verify_result(ssl) != X509_V_OK) { /* Validation failed. */ return error; } /* Do secret things */ /* Decrement the reference count. */ X509_free(cert); Jeff