Re: [openssl-users] Is verification supposed to fail with SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT without SSL_CTX_set_client_CA_list?
On Sat, Feb 27, 2016, Jeffrey Walton wrote: > This came up recently on Stack Overflow. The server code specified > SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, but failed to call > SSL_CTX_set_client_CA_list. The connection did not fail as expected. > > Looking at the man page for SSL_CTX_set_verify [1] and > SSL_CTX_set_client_CA_list [2] it looks like the connection is > supposed to fail. From [1]: > > SSL_VERIFY_FAIL_IF_NO_PEER_CERT > > Server mode: if the client did not return a certificate, > the TLS/SSL handshake is immediately terminated > with a "handshake failure" alert... > > Is verification supposed to fail with SSL_VERIFY_PEER | > SSL_VERIFY_FAIL_IF_NO_PEER_CERT regardless of the interactions with > SSL_CTX_set_client_CA_list? Or is there a hidden dependency on > SSL_CTX_set_client_CA_list? > The function SSL_CTX_set_client_CA_list() sets a list of supportied CA names. This list is sent to the client during client authentication. The client can then use that (if it wishes) to decide which certificate to use for client authentication. A client may not filter the CAs based on that list: it might give the user the option to send any client certificate it has available. Also when presented with an empty list the client might decide that all certificates are permissible or that it's some kind of error and it can't send any. So not setting SSL_CTX_set_client_CA_list() is not guaranteed to fail and what happens depends on the client. The set of certificates the server trusts for client authentication can be a separate list though if you don't trust any certificate chains you sent in the client CA list that would be somewhat odd. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Is verification supposed to fail with SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT without SSL_CTX_set_client_CA_list?
Hi Jeff, The test I just ran was done with NO custom callback : SSL_CTX_set_verify( pCtx, AUTH_REQUIRE, NULL ); with AUTH_REQUIRE defined as ( SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT ) -Message d'origine- De : Jeffrey Walton [mailto:noloa...@gmail.com] Envoyé : samedi 27 février 2016 23:48 Does your server use the default verify callback? Or does it have a custom callback? (The original question uses the default verify callback). -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Is verification supposed to fail with SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT without SSL_CTX_set_client_CA_list?
> I have a server code whose context is configured with SSL_VERIFY_PEER | > SSL_VERIFY_FAIL_IF_NO_PEER_CERT and which do not call > SSL_CTX_set_client_CA_list(). > In this case, handshake is failing as expected when clients didn't send a > certificate. Thanks Michel. Does your server use the default verify callback? Or does it have a custom callback? (The original question uses the default verify callback). Jeff -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Is verification supposed to fail with SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT without SSL_CTX_set_client_CA_list?
Really ? As your post alarmed me, I tried my tests programs again and didn't noticed anything wrong. I have a server code whose context is configured with SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT and which do not call SSL_CTX_set_client_CA_list(). In this case, handshake is failing as expected when clients didn't send a certificate. OpenSSL Windows 32 bits version 1.1 from git repo yesterday. -Message d'origine- De : openssl-users [mailto:openssl-users-boun...@openssl.org] De la part de Jeffrey Walton Envoyé : samedi 27 février 2016 22:22 À : OpenSSL Users List Objet : [openssl-users] Is verification supposed to fail with SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT without SSL_CTX_set_client_CA_list? This came up recently on Stack Overflow. The server code specified SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, but failed to call SSL_CTX_set_client_CA_list. The connection did not fail as expected. Looking at the man page for SSL_CTX_set_verify [1] and SSL_CTX_set_client_CA_list [2] it looks like the connection is supposed to fail. From [1]: SSL_VERIFY_FAIL_IF_NO_PEER_CERT Server mode: if the client did not return a certificate, the TLS/SSL handshake is immediately terminated with a "handshake failure" alert... Is verification supposed to fail with SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT regardless of the interactions with SSL_CTX_set_client_CA_list? Or is there a hidden dependency on SSL_CTX_set_client_CA_list? -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Is verification supposed to fail with SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT without SSL_CTX_set_client_CA_list?
This came up recently on Stack Overflow. The server code specified SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, but failed to call SSL_CTX_set_client_CA_list. The connection did not fail as expected. Looking at the man page for SSL_CTX_set_verify [1] and SSL_CTX_set_client_CA_list [2] it looks like the connection is supposed to fail. From [1]: SSL_VERIFY_FAIL_IF_NO_PEER_CERT Server mode: if the client did not return a certificate, the TLS/SSL handshake is immediately terminated with a "handshake failure" alert... Is verification supposed to fail with SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT regardless of the interactions with SSL_CTX_set_client_CA_list? Or is there a hidden dependency on SSL_CTX_set_client_CA_list? [1] http://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_verify.html [2] http://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_client_CA_list.html -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users