fix: s_time -verify skips certificate validation

2025-06-23 14:18:03 +02:00 · 2025-06-23 14:18:03 +02:00 · 1c736f1a1c
parent cdd01b5e07
commit 1c736f1a1c
2 changed files with 22 additions and 6 deletions
--- a/apps/s_time.c
+++ b/apps/s_time.c
@ -47,8 +47,8 @@ typedef enum OPTION_choice {
    OPT_CONNECT, OPT_CIPHER, OPT_CIPHERSUITES, OPT_CERT, OPT_NAMEOPT, OPT_KEY,
    OPT_CAPATH, OPT_CAFILE, OPT_CASTORE,
    OPT_NOCAPATH, OPT_NOCAFILE, OPT_NOCASTORE,
-    OPT_NEW, OPT_REUSE, OPT_BUGS, OPT_VERIFY, OPT_TIME, OPT_SSL3,
-    OPT_WWW, OPT_TLS1, OPT_TLS1_1, OPT_TLS1_2, OPT_TLS1_3,
+    OPT_NEW, OPT_REUSE, OPT_BUGS, OPT_VERIFY, OPT_VERIFY_RET_ERROR, OPT_TIME,
+    OPT_SSL3, OPT_WWW, OPT_TLS1, OPT_TLS1_1, OPT_TLS1_2, OPT_TLS1_3,
    OPT_PROV_ENUM
 } OPTION_CHOICE;

@ -82,6 +82,8 @@ const OPTIONS s_time_options[] = {
 #endif
    {"verify", OPT_VERIFY, 'p',
     "Turn on peer certificate verification, set depth"},
+    {"verify_return_error", OPT_VERIFY_RET_ERROR, '-',
+     "Close connection on verification error"},
    {"time", OPT_TIME, 'p', "Seconds to collect data, default " SECONDSSTR},
    {"www", OPT_WWW, 's', "Fetch specified page from the site"},

@ -129,6 +131,7 @@ int s_time_main(int argc, char **argv)
    OPTION_CHOICE o;
    int min_version = 0, max_version = 0, ver, buf_len, fd;
    size_t buf_size;
+    int verify = SSL_VERIFY_NONE;

    meth = TLS_client_method();

@ -154,6 +157,7 @@ int s_time_main(int argc, char **argv)
            perform = 1;
            break;
        case OPT_VERIFY:
+            verify = SSL_VERIFY_PEER;
            verify_args.depth = opt_int_arg();
            BIO_printf(bio_err, "%s: verify depth is %d\n",
                       prog, verify_args.depth);
@ -186,6 +190,10 @@ int s_time_main(int argc, char **argv)
        case OPT_NOCASTORE:
            noCAstore = 1;
            break;
+        case OPT_VERIFY_RET_ERROR:
+            verify = SSL_VERIFY_PEER;
+            verify_args.return_error = 1;
+            break;
        case OPT_CIPHER:
            cipher = opt_arg();
            break;
@ -243,6 +251,9 @@ int s_time_main(int argc, char **argv)
    if ((ctx = SSL_CTX_new(meth)) == NULL)
        goto end;

+    verify_args.quiet = 1;
+    SSL_CTX_set_verify(ctx, verify, verify_callback);
+
    SSL_CTX_set_quiet_shutdown(ctx, 1);
    if (SSL_CTX_set_min_proto_version(ctx, min_version) == 0)
        goto end;
--- a/doc/man1/openssl-s_time.pod.in
+++ b/doc/man1/openssl-s_time.pod.in
@ -16,6 +16,7 @@ B<openssl> B<s_time>
 [B<-reuse>]
 [B<-new>]
 [B<-verify> I<depth>]
+[B<-verify_return_error>]
 [B<-time> I<seconds>]
 [B<-ssl3>]
 [B<-tls1>]
@ -73,10 +74,17 @@ be used. The file is in PEM format.

 The verify depth to use. This specifies the maximum length of the
 server certificate chain and turns on server certificate verification.
-Currently the verify operation continues after errors so all the problems
+Unless the B<-verify_return_error> option is given,
+the verify operation continues after errors so all the problems
 with a certificate chain can be seen. As a side effect the connection
 will never fail due to a server certificate verify failure.

+=item B<-verify_return_error>
+
+Turns on server certificate verification, like with B<-verify>,
+but returns verification errors instead of continuing.
+This will typically abort the handshake with a fatal error.
+
 =item B<-new>

 Performs the timing test using a new session ID for each connection.
@ -172,9 +180,6 @@ Because this program does not have all the options of the
 L<openssl-s_client(1)> program to turn protocols on and off, you may not
 be able to measure the performance of all protocols with all servers.

-The B<-verify> option should really exit if the server verification
-fails.
-
 =head1 HISTORY

 The B<-cafile> option was deprecated in OpenSSL 3.0.