Hi!
When using an OpenSSL server, it may ask the client for a certificate.
When no certificate is presented, the result of SSL_get_verify_result()
is still "X509_V_OK", as this is the default value set in SSL_new() and it
is not touched in ssl?_get_client_certificate() in the path to be executed
when (sk_X509_num(sk) <= 0) e.g. at ssl/s3_srvr.c:1667.
I would recommend to change the default value of verify_result to "1" (which
is the error value) in ssl/ssl_lib.c:220. This should not have any negative
effect, since verify_result is set to the result of ssl_verify_cert_chain()
in the case of presented certificates. ssl_verify_cert_chain() does not
depend on the default setting of ssl->verify_result.
BTW. As I just see: SSL_clear() does not touch verify_result, so that the
last value will be reused, if no certificate is presented. SSL_clear()
should also reset verify_result=1.
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
