[En-Nut-Discussion] ssl_verify_cert return value

Krzysztof Sawicki krzysztof.sawicki at mlabs.pl
Wed Nov 9 08:58:30 CET 2016


Hi,

I played with a tls client demo application and noticed such issue:
in nut/app/tls_client/tls_client.c we check the result returned by ssl_verify_cert:

             switch(ssl_verify_cert(ssl)) {
                 case SSL_X509_ERROR(X509_OK): printf("OK\n"); break;
                 case SSL_X509_ERROR(X509_NOT_OK): printf("NOT OK\n"); break;
                 case SSL_X509_ERROR(X509_VFY_ERROR_NO_TRUSTED_CERT): printf("Not trusted\n"); break;
                 case SSL_X509_ERROR(X509_VFY_ERROR_BAD_SIGNATURE): printf("Bad signature\n"); break;
                 case SSL_X509_ERROR(X509_VFY_ERROR_NOT_YET_VALID): printf("Not yet valid\n"); break;
                 case SSL_X509_ERROR(X509_VFY_ERROR_EXPIRED): printf("Expired\n"); break;
                 case SSL_X509_ERROR(X509_VFY_ERROR_SELF_SIGNED): printf("Self signed\n"); break;
                 case SSL_X509_ERROR(X509_VFY_ERROR_UNSUPPORTED_DIGEST): printf("Unsupported digest\n"); break;
             }

but in nut/tls/tls1.c ssl_verify_cert looks as follows:

int ssl_verify_cert(const SSL *ssl)
{
     int ret;
     SSL_CTX_LOCK(ssl->ssl_ctx->mutex);
     ret = x509_verify(ssl->ssl_ctx->ca_cert_ctx, ssl->x509_ctx);
     SSL_CTX_UNLOCK(ssl->ssl_ctx->mutex);

     if (ret)        /* modify into an SSL error type */
     {
         ret = SSL_X509_ERROR(ret);
     }

     return ret;
}


so, if there is no error (certificate is ok), ssl_verify_cert returns X509_OK(=0), but in tls_client we expect SSL_X509_ERROR(X509_OK)(=-512).

-- 
Krzysztof Sawicki
MLabs sp. z o.o.
ul. Kaliska 21
61-131 Poznań

tel. 61 646 84 27

KRS: 0000390306
NIP: 7822533401


More information about the En-Nut-Discussion mailing list