projects / oweals / openssl.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: a5a3722) | patch
When strict SCT fails record verification failure
authorViktor Dukhovni <openssl-users@dukhovni.org>
Fri, 13 May 2016 04:36:56 +0000 (00:36 -0400)
committerViktor Dukhovni <openssl-users@dukhovni.org>
Thu, 19 May 2016 04:25:42 +0000 (00:25 -0400)
commitf75b34c8c81d7277fa002120d4c8dc36c39d1ff5
tree118cb3d0ae80b77e3f8e729005ca67bfe3eb5daftree | snapshot
parenta5a3722bc185b2baaaa183dcaafaf17b3d07a5facommit | diff
When strict SCT fails record verification failure

Since with SSL_VERIFY_NONE, the connection may continue and the
session may even be cached, we should save some evidence that the
chain was not sufficiently verified and would have been rejected
with SSL_VERIFY_PEER.  To that end when a CT callback returs failure
we set the verify result to X509_V_ERR_NO_VALID_SCTS.

Note: We only run the CT callback in the first place if the verify
result is still X509_V_OK prior to start of the callback.

RT #4502

Reviewed-by: Tim Hudson <tjh@openssl.org>
crypto/x509/x509_txt.c diff | blob | history
doc/ssl/SSL_CTX_set_ct_validation_callback.pod diff | blob | history
include/openssl/x509_vfy.h diff | blob | history
ssl/ssl_lib.c diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.