mirror of https://github.com/openssl/openssl.git
0c3eb2793b
The client-side cert verification callback function may not only return as usual for success or 0 for failure, but also -1, typically on failure verifying the server certificate. This makes the handshake suspend and return control to the calling application with SSL_ERROR_WANT_RETRY_VERIFY. The app can for instance fetch further certificates or cert status information needed for the verification. Calling SSL_connect() again resumes the connection attempt by retrying the server certificate verification step. This process may even be repeated if need be. The core implementation of the feature is in ssl/statem/statem_clnt.c, splitting tls_process_server_certificate() into a preparation step that just copies the certificates received from the server to s->session->peer_chain (rather than having them in a local variable at first) and returns to the state machine, and a post-processing step in tls_post_process_server_certificate() that can be repeated: Try verifying the current contents of s->session->peer_chain basically as before, but give the verification callback function the chance to pause connecting and make the TLS state machine later call tls_post_process_server_certificate() again. Otherwise processing continues as usual. The documentation of the new feature is added to SSL_CTX_set_cert_verify_callback.pod and SSL_want.pod. This adds two tests: * A generic test in test/helpers/handshake.c on the usability of the new server cert verification retry feature. It is triggered via test/ssl-tests/03-custom_verify.cnf.in (while the bulky auto- generated changes to test/ssl-tests/03-custom_verify.cnf can be basically ignored). * A test in test/sslapitest.c that demonstrates the effectiveness of the approach for augmenting the cert chain provided by the server in between SSL_connect() calls. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13906) |
||
|---|---|---|
| .. | ||
| perl | ||
| add-depends.pl | ||
| build.info | ||
| cavs-to-evptest.pl | ||
| check-format-test-negatives.c | ||
| check-format-test-positives.c | ||
| check-format.pl | ||
| check-malloc-errs | ||
| ck_errf.pl | ||
| copy.pl | ||
| dofile.pl | ||
| echo.pl | ||
| engines.num | ||
| err-to-raise | ||
| find-doc-nits | ||
| find-unused-errs | ||
| fix-deprecation | ||
| fix-includes | ||
| fix-includes.sed | ||
| indent.pro | ||
| libcrypto.num | ||
| libssl.num | ||
| local_shlib.com.in | ||
| markdownlint.rb | ||
| merge-err-lines | ||
| missingcrypto-internal.txt | ||
| missingcrypto.txt | ||
| missingcrypto111.txt | ||
| missingmacro.txt | ||
| missingmacro111.txt | ||
| missingssl-internal.txt | ||
| missingssl.txt | ||
| missingssl111.txt | ||
| mkbuildinf.pl | ||
| mkdef.pl | ||
| mkdir-p.pl | ||
| mkerr.pl | ||
| mknum.pl | ||
| mkpod2html.pl | ||
| mkrc.pl | ||
| mktar.sh | ||
| opensslwrap.sh | ||
| other-internal.syms | ||
| other.syms | ||
| providers.num | ||
| shlib_wrap.sh.in | ||
| su-filter.pl | ||
| unlocal_shlib.com.in | ||
| withlibctx.pl | ||
| wrap.pl | ||