Peter 'Luna' Runestig <[EMAIL PROTECTED]>:
> Problem:
>
> If the negotiated cipher is ADH (ie, the SSL_aNULL flag is set) and if
> the verify mode is SSL_VERIFY_PEER, the server will send a certificate
> request to the client. The receipt of this request by the client is
> considered a fatal protocol error in TLS. Therefore, the request
> should not be sent.
>
> Fix:
>
> The following patch to s3_srvr.c prevents the sending of the
> certificate request by the server when the cipher suite is anonymous.
Probably ADH ciphers should be automatically excluded if
SSL_VERIFY_PEER is set. SSL_VERIFY_PEER usually means that the
application *wants* the handshake to fail unless the peer can be
authenticated; they should never set SSL_VERIFY_PEER if they
want anonymous ciphers.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
