That clarifies everything. Many thanks!
On Wed, Dec 14, 2011 at 1:46 PM, Dave Thompson <[email protected]>wrote: > > From: [email protected] On Behalf Of Joss T > > Sent: Tuesday, 13 December, 2011 04:16 > > > In the context of sending requests, I've seen a number of people > > using SSL_VERIFY_PEER in combination with SSL_VERIFY_FAIL_IF_NO_PEER_CERT > > e.g. (SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT). > > > That seems strange, since according to the docs <snip> > > SSL_VERIFY_FAIL_IF_NO_PEER_CERT is ignored in client mode. > > Is there any reason for combining them, or are these people just doing it > wrong? > > It is ignored. Possibly they are using same context for both client > and server, or copying from code that does or did. Since it is ignored > and does no harm, no one is going to be motivated to 'fix' it. > > > Also, from docs regarding client mode, could someone please explain > > what is meant by "If no server certificate is sent, because an anonymous > > cipher is used, SSL_VERIFY_PEER is ignored."? I don't understand why > > VERIFY_PEER would ever be ignored. > > Peer verification is done by looking at the received certificate. > For anonymous ciphersuites, no certificate is sent (in either direction). > If there is no certificate to verify, you can't do verification. > > > Basically, I'm trying to make sure that no matter what, I am never > > sending requests to the server without verification. > > Don't offer anonymous ciphersuites. By default OpenSSL disables > all aNULL and eNULL ciphersuites, so this is only an issue if you > (can) make an API call to set the cipherlist; if so, make sure > the string you pass doesn't enable them, or alternatively check > after setting to make sure none were set, or after connection > (but before sending data) to make sure none was negotiated. > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [email protected] > Automated List Manager [email protected] >
