From 162e120711490cbd26f8608bf268a906c42e2027 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Tue, 14 Mar 2017 17:27:46 +0000 Subject: [PATCH] SSL_get_peer_cert_chain() does not work after a resumption After a resumption it is documented that SSL_get_peer_cert_chain() will return NULL. In BoringSSL it still returns the chain. We don't support that so we should update the shim to call SSL_get_peer_certificate() instead when checking whether a peer certificate is available. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/2942) --- test/ossl_shim/ossl_shim.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/ossl_shim/ossl_shim.cc b/test/ossl_shim/ossl_shim.cc index be589e36d1..9607e528d8 100644 --- a/test/ossl_shim/ossl_shim.cc +++ b/test/ossl_shim/ossl_shim.cc @@ -857,7 +857,7 @@ static bool CheckHandshakeProperties(SSL *ssl, bool is_resume) { return false; } } else if (!config->is_server || config->require_any_client_certificate) { - if (SSL_get_peer_cert_chain(ssl) == nullptr) { + if (SSL_get_peer_certificate(ssl) == nullptr) { fprintf(stderr, "Received no peer certificate but expected one.\n"); return false; } -- 2.25.1