Skip to content
GitLab
Explore
Sign in
Primary navigation
Search or go to…
Project
T
TLMSP OpenSSL
Manage
Activity
Members
Labels
Plan
Issues
Issue boards
Milestones
Wiki
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Snippets
Build
Pipelines
Jobs
Pipeline schedules
Artifacts
Deploy
Releases
Package registry
Container Registry
Model registry
Operate
Environments
Terraform modules
Monitor
Incidents
Analyze
Value stream analytics
Contributor analytics
CI/CD analytics
Repository analytics
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
CYBER - Cyber Security
TS 103 523 MSP
TLMSP
TLMSP OpenSSL
Commits
47134b78
Commit
47134b78
authored
25 years ago
by
Bodo Möller
Browse files
Options
Downloads
Patches
Plain Diff
Don't request client certificate in anonymous ciphersuites
except when following the specs is bound to fail.
parent
45fd4dbb
No related branches found
No related tags found
No related merge requests found
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
CHANGES
+8
-0
8 additions, 0 deletions
CHANGES
ssl/s3_srvr.c
+13
-3
13 additions, 3 deletions
ssl/s3_srvr.c
with
21 additions
and
3 deletions
CHANGES
+
8
−
0
View file @
47134b78
...
...
@@ -4,6 +4,14 @@
Changes between 0.9.4 and 0.9.5 [xx XXX 1999]
*) SSL 3/TLS 1 servers now don't request certificates when an anonymous
ciphersuites has been selected (as required by the SSL 3/TLS 1
specifications). Exception: When SSL_VERIFY_FAIL_IF_NO_PEER_CERT
is set, we interpret this as a request to violate the specification
(the worst that can happen is a handshake failure, and 'correct'
behaviour would result in a handshake failure anyway).
[Bodo Moeller]
*) In SSL_CTX_add_session, take into account that there might be multiple
SSL_SESSION structures with the same session ID (e.g. when two threads
concurrently obtain them from an external cache).
...
...
This diff is collapsed.
Click to expand it.
ssl/s3_srvr.c
+
13
−
3
View file @
47134b78
...
...
@@ -287,9 +287,19 @@ int ssl3_accept(SSL *s)
case
SSL3_ST_SW_CERT_REQ_A
:
case
SSL3_ST_SW_CERT_REQ_B
:
if
(
!
(
s
->
verify_mode
&
SSL_VERIFY_PEER
)
||
if
(
/* don't request cert unless asked for it: */
!
(
s
->
verify_mode
&
SSL_VERIFY_PEER
)
||
/* if SSL_VERIFY_CLIENT_ONCE is set,
* don't request cert during re-negotiation: */
((
s
->
session
->
peer
!=
NULL
)
&&
(
s
->
verify_mode
&
SSL_VERIFY_CLIENT_ONCE
)))
(
s
->
verify_mode
&
SSL_VERIFY_CLIENT_ONCE
))
||
/* never request cert in anonymous ciphersuites
* (see section "Certificate request" in SSL 3 drafts
* and in RFC 2246): */
((
s
->
s3
->
tmp
.
new_cipher
->
algorithms
&
SSL_aNULL
)
&&
/* ... except when the application insists on verification
* (against the specs, but s3_clnt.c accepts this for SSL 3) */
!
(
s
->
verify_mode
&
SSL_VERIFY_FAIL_IF_NO_PEER_CERT
)))
{
/* no cert request */
skip
=
1
;
...
...
@@ -1531,7 +1541,7 @@ static int ssl3_get_client_certificate(SSL *s)
al
=
SSL_AD_HANDSHAKE_FAILURE
;
goto
f_err
;
}
/* If tls asked for a client cert
we
must return a 0 list */
/* If tls asked for a client cert
, the client
must return a 0 list */
if
((
s
->
version
>
SSL3_VERSION
)
&&
s
->
s3
->
tmp
.
cert_request
)
{
SSLerr
(
SSL_F_SSL3_GET_CLIENT_CERTIFICATE
,
SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST
);
...
...
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment
