diff options
author | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-05-13 00:36:56 -0400 |
---|---|---|
committer | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-05-19 00:25:42 -0400 |
commit | f75b34c8c81d7277fa002120d4c8dc36c39d1ff5 (patch) | |
tree | 118cb3d0ae80b77e3f8e729005ca67bfe3eb5daf /ssl | |
parent | a5a3722bc185b2baaaa183dcaafaf17b3d07a5fa (diff) | |
download | openssl-f75b34c8c81d7277fa002120d4c8dc36c39d1ff5.tar.gz |
When strict SCT fails record verification failure
Since with SSL_VERIFY_NONE, the connection may continue and the
session may even be cached, we should save some evidence that the
chain was not sufficiently verified and would have been rejected
with SSL_VERIFY_PEER. To that end when a CT callback returs failure
we set the verify result to X509_V_ERR_NO_VALID_SCTS.
Note: We only run the CT callback in the first place if the verify
result is still X509_V_OK prior to start of the callback.
RT #4502
Reviewed-by: Tim Hudson <tjh@openssl.org>
Diffstat (limited to 'ssl')
-rw-r--r-- | ssl/ssl_lib.c | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 000a509c73..9fb6e89b36 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -4134,6 +4134,23 @@ int ssl_validate_ct(SSL *s) end: CT_POLICY_EVAL_CTX_free(ctx); + /* + * With SSL_VERIFY_NONE the session may be cached and re-used despite a + * failure return code here. Also the application may wish the complete + * the handshake, and then disconnect cleanly at a higher layer, after + * checking the verification status of the completed connection. + * + * We therefore force a certificate verification failure which will be + * visible via SSL_get_verify_result() and cached as part of any resumed + * session. + * + * Note: the permissive callback is for information gathering only, always + * returns success, and does not affect verification status. Only the + * strict callback or a custom application-specified callback can trigger + * connection failure or record a verification error. + */ + if (ret <= 0) + s->verify_result = X509_V_ERR_NO_VALID_SCTS; return ret; } |