[En-Nut-Discussion] ssl_verify_cert return value
Uwe Bonnes
bon at elektron.ikp.physik.tu-darmstadt.de
Wed Nov 9 11:22:03 CET 2016
>>>>> "Krzysztof" == Krzysztof Sawicki <krzysztof.sawicki at mlabs.pl> writes:
Krzysztof> Hi, I played with a tls client demo application and noticed
Krzysztof> such issue: in nut/app/tls_client/tls_client.c we check the
Krzysztof> result returned by ssl_verify_cert:
Krzysztof> switch(ssl_verify_cert(ssl)) { case
Krzysztof> SSL_X509_ERROR(X509_OK): printf("OK\n"); break; case
Krzysztof> SSL_X509_ERROR(X509_NOT_OK): printf("NOT OK\n"); break; case
Krzysztof> SSL_X509_ERROR(X509_VFY_ERROR_NO_TRUSTED_CERT): printf("Not
Krzysztof> trusted\n"); break; case
Krzysztof> SSL_X509_ERROR(X509_VFY_ERROR_BAD_SIGNATURE): printf("Bad
Krzysztof> signature\n"); break; case
Krzysztof> SSL_X509_ERROR(X509_VFY_ERROR_NOT_YET_VALID): printf("Not yet
Krzysztof> valid\n"); break; case
Krzysztof> SSL_X509_ERROR(X509_VFY_ERROR_EXPIRED): printf("Expired\n");
Krzysztof> break; case SSL_X509_ERROR(X509_VFY_ERROR_SELF_SIGNED):
Krzysztof> printf("Self signed\n"); break; case
Krzysztof> SSL_X509_ERROR(X509_VFY_ERROR_UNSUPPORTED_DIGEST):
Krzysztof> printf("Unsupported digest\n"); break; }
Krzysztof> but in nut/tls/tls1.c ssl_verify_cert looks as follows:
Krzysztof> int ssl_verify_cert(const SSL *ssl) { int ret;
Krzysztof> SSL_CTX_LOCK(ssl->ssl_ctx->mutex); ret =
Krzysztof> x509_verify(ssl->ssl_ctx->ca_cert_ctx, ssl->x509_ctx);
Krzysztof> SSL_CTX_UNLOCK(ssl->ssl_ctx->mutex);
Krzysztof> if (ret) /* modify into an SSL error type */ { ret =
Krzysztof> SSL_X509_ERROR(ret); }
Krzysztof> return ret; }
Krzysztof> so, if there is no error (certificate is ok), ssl_verify_cert
Krzysztof> returns X509_OK(=0), but in tls_client we expect
Krzysztof> SSL_X509_ERROR(X509_OK)(=-512).
Good catch.
Ole, can you comment?
Bye
--
Uwe Bonnes bon at elektron.ikp.physik.tu-darmstadt.de
Institut fuer Kernphysik Schlossgartenstrasse 9 64289 Darmstadt
--------- Tel. 06151 1623569 ------- Fax. 06151 1623305 ---------
More information about the En-Nut-Discussion
mailing list