> From: [email protected] On Behalf Of Joss T
> Sent: Tuesday, 13 December, 2011 04:16
> In the context of sending requests, I've seen a number of people
> using SSL_VERIFY_PEER in combination with SSL_VERIFY_FAIL_IF_NO_PEER_CERT
> e.g. (SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT).
> That seems strange, since according to the docs <snip>
> SSL_VERIFY_FAIL_IF_NO_PEER_CERT is ignored in client mode.
> Is there any reason for combining them, or are these people just doing it
wrong?
It is ignored. Possibly they are using same context for both client
and server, or copying from code that does or did. Since it is ignored
and does no harm, no one is going to be motivated to 'fix' it.
> Also, from docs regarding client mode, could someone please explain
> what is meant by "If no server certificate is sent, because an anonymous
> cipher is used, SSL_VERIFY_PEER is ignored."? I don't understand why
> VERIFY_PEER would ever be ignored.
Peer verification is done by looking at the received certificate.
For anonymous ciphersuites, no certificate is sent (in either direction).
If there is no certificate to verify, you can't do verification.
> Basically, I'm trying to make sure that no matter what, I am never
> sending requests to the server without verification.
Don't offer anonymous ciphersuites. By default OpenSSL disables
all aNULL and eNULL ciphersuites, so this is only an issue if you
(can) make an API call to set the cipherlist; if so, make sure
the string you pass doesn't enable them, or alternatively check
after setting to make sure none were set, or after connection
(but before sending data) to make sure none was negotiated.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [email protected]
