Hi,
Problem:
If the negotiated cipher is ADH (ie, the SSL_aNULL flag is set) and if
the verify mode is SSL_VERIFY_PEER, the server will send a certificate
request to the client. The receipt of this request by the client is
considered a fatal protocol error in TLS. Therefore, the request
should not be sent.
Fix:
The following patch to s3_srvr.c prevents the sending of the
certificate request by the server when the cipher suite is anonymous.
*** backup\s3_srvr.c Tue Nov 16 19:00:34 1999
--- s3_srvr.c Sat Dec 18 14:55:40 1999
***************
*** 287,293 ****
case SSL3_ST_SW_CERT_REQ_A:
case SSL3_ST_SW_CERT_REQ_B:
! if (!(s->verify_mode & SSL_VERIFY_PEER) ||
((s->session->peer != NULL) &&
(s->verify_mode &
SSL_VERIFY_CLIENT_ONCE)))
{
--- 287,294 ----
case SSL3_ST_SW_CERT_REQ_A:
case SSL3_ST_SW_CERT_REQ_B:
! if ((s->s3->tmp.new_cipher->algorithms & SSL_aNULL) ||
! !(s->verify_mode & SSL_VERIFY_PEER) ||
((s->session->peer != NULL) &&
(s->verify_mode & SSL_VERIFY_CLIENT_ONCE)))
{
Cheers,
- Peter
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]