From: Tomas Mraz Date: Tue, 2 Jul 2019 11:32:29 +0000 (+0200) Subject: Clarify documentation of SSL_CTX_set_verify client side behavior X-Git-Tag: OpenSSL_1_1_1d~114 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=78af3f6f95cb8327fb423a609586c3c2b0d9c5f9;p=oweals%2Fopenssl.git Clarify documentation of SSL_CTX_set_verify client side behavior Fixes #9259 Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/9291) (cherry picked from commit e6716f2bb4d9588044820f29a7ced0f06789d6ef) --- diff --git a/doc/man3/SSL_CTX_set_verify.pod b/doc/man3/SSL_CTX_set_verify.pod index 21d9ae1018..2e5ee7915a 100644 --- a/doc/man3/SSL_CTX_set_verify.pod +++ b/doc/man3/SSL_CTX_set_verify.pod @@ -102,7 +102,7 @@ B if the client did not return a certificate, the TLS/SSL handshake is immediately terminated with a "handshake failure" alert. This flag must be used together with SSL_VERIFY_PEER. -B ignored +B ignored (see BUGS) =item SSL_VERIFY_CLIENT_ONCE @@ -112,7 +112,7 @@ renegotiation or post-authentication if a certificate was requested during the initial handshake. This flag must be used together with SSL_VERIFY_PEER. -B ignored +B ignored (see BUGS) =item SSL_VERIFY_POST_HANDSHAKE @@ -123,7 +123,7 @@ to be configured for post-handshake peer verification before the handshake occurs. This flag must be used together with SSL_VERIFY_PEER. TLSv1.3 only; no effect on pre-TLSv1.3 connections. -B ignored +B ignored (see BUGS) =back @@ -203,8 +203,8 @@ message is sent to the client. =head1 BUGS In client mode, it is not checked whether the SSL_VERIFY_PEER flag -is set, but whether any flags are set. This can lead to -unexpected behaviour if SSL_VERIFY_PEER and other flags are not used as +is set, but whether any flags other than SSL_VERIFY_NONE are set. This can +lead to unexpected behaviour if SSL_VERIFY_PEER and other flags are not used as required. =head1 RETURN VALUES