Commit 162e1207 authored by Matt Caswell's avatar Matt Caswell
Browse files

SSL_get_peer_cert_chain() does not work after a resumption 



After a resumption it is documented that SSL_get_peer_cert_chain() will
return NULL. In BoringSSL it still returns the chain. We don't support that
so we should update the shim to call SSL_get_peer_certificate() instead
when checking whether a peer certificate is available.

Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2942)
parent e29d7cea

test/ossl_shim/ossl_shim.cc

+1 −1
Original line number Diff line number Diff line
@@ -857,7 +857,7 @@ static bool CheckHandshakeProperties(SSL *ssl, bool is_resume) { 
      return false;

    }

  } else if (!config->is_server || config->require_any_client_certificate) {

    if (SSL_get_peer_cert_chain(ssl) == nullptr) {

    if (SSL_get_peer_certificate(ssl) == nullptr) {

      fprintf(stderr, "Received no peer certificate but expected one.\n");

      return false;

    }