Hi, Using OpenSSL 1.0.1h 5 Jun 2014, -Verify does not have the same meaning depending on whether TLS or DTLS is used, when a PSK ciphersuite is selected.
More precisely, the following fails: openssl s_server -nocert -psk abc123 -Verify 10 -dtls1 & openssl s_client -psk abc123 -dtls1 with server output: verify depth is 10, must return a certificate Using default temp DH parameters Using default temp ECDH parameters ACCEPT ERROR 140396734203536:error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate:s3_srvr.c:3186: shutting down SSL CONNECTION CLOSED ACCEPT This contrasts with the fact that the following works (just switching from DTLS to TLS): openssl s_server -nocert -psk abc123 -Verify 10 -tls1_1 & openssl s_client -psk abc123 -tls1_1 This kind of discrepancy is unexpected. My opinion is, the behaviour observed with TLS is good and the behaviour with DTLS should be aligned on it. Perhaps the man page could use some clarification about the meaning of -Verify wrt PSK ciphersuites, too. Manuel. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
