Hi all,
Problem:
If the negotiated cipher is ADH (ie, the SSL_aNULL flag is set) and if
the verify mode is SSL_VERIFY_PEER, the server will send a certificate
request to the client. The receipt of this request by the client is
considered a fatal protocol error in TLS. Therefore, the request
should not be sent.
Fix:
The following patch to s3_srvr.c prevents the sending of the
certificate request by the server when the cipher suite is anonymous.
*** backup\s3_srvr.c Tue Nov 16 19:00:34 1999
--- s3_srvr.c Sat Dec 18 14:55:40 1999
***************
*** 287,293 ****
case SSL3_ST_SW_CERT_REQ_A:
case SSL3_ST_SW_CERT_REQ_B:
! if (!(s->verify_mode & SSL_VERIFY_PEER) ||
((s->session->peer != NULL) &&
(s->verify_mode &
SSL_VERIFY_CLIENT_ONCE)))
{
--- 287,294 ----
case SSL3_ST_SW_CERT_REQ_A:
case SSL3_ST_SW_CERT_REQ_B:
! if ((s->s3->tmp.new_cipher->algorithms & SSL_aNULL) ||
! !(s->verify_mode & SSL_VERIFY_PEER) ||
((s->session->peer != NULL) &&
(s->verify_mode & SSL_VERIFY_CLIENT_ONCE)))
{
Cheers,
- Peter
----------------------------------------------------------------
Peter "Luna" Runestig (fd. Altberg), Sweden <[EMAIL PROTECTED]>
PGP Key ID: 0xD07BBE13
Fingerprint: 7B5C 1F48 2997 C061 DE4B 42EA CB99 A35C D07B BE13
Gubben Movitz ler och nickar, / men från Charons mörka sund
dödens blund / i dina blickar / bådar snart din sista stund.
Carl Michael Bellman, Fredmans epistel nr 34
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
