Sorry team. Change observed between openssl 0.9.8g to openssl0.9.8k
Can you please tell us the intent of this change and how we can get out of
this problem.
Regards,
Rajeswari
On Thu, Sep 26, 2013 at 3:18 PM, Rajeswari K <raji.kotamr...@gmail.com>wrote:
> Hello Openssl dev team,
>
> Currently we are using openssl 0.9.8q version. Earlier we have used
> openssl 0.9.8k.
> We have seen change in the return value handling of
> ssl_verify_cert_chain() at function ssl3_get_client_certificate().
>
> At openssl 0.9.8k, ssl_verify_cert_chain() is handled like this
>
> else {
> i=ssl_verify_cert_chain(s,sc->cert_chain); if (i < 0)
> { ret = i;
> goto err; } else if (i == 0)
> {
> al=ssl_verify_alarm_type(s->verify_result);
> * \*
> SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIFICATE_RETURNED);
> goto f_err; } }
>
> But at openssl 0.9.8q, same code is changed as
>
> else
>
> {
>
> i=ssl_verify_cert_chain(s,sk);
>
> if (i <= 0)
>
> {
>
> al=ssl_verify_alarm_type(s->verify_result);
>
>
> SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIFICATE_RETURNED);
>
> goto f_err;
>
> }
>
> }
>
> Currently we have registered with our callback functions to perform
> verification of certificates. In our code, we return negative values if CRL
> fetch//certificate verifitication is in progress. Due to this, current
> openssl0.9.8q, is treating the negative values as error and sending an alert
> and clearing its session.
>
> Same code worked with openssl0.9.8k because OPENSSL is not treating negative
> value as error.
>
> Is there any way we can get out of this situation with openssl0.9.8q?
>
>
> Thanks & Regards,
>
> Rajeswari.
>
>
