Author christian.heimes
Recipients alex, christian.heimes, ned.deily
Date 2019-06-28.13:59:05
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1561730345.73.0.962317312984.issue37428@roundup.psfhosted.org>
In-reply-to
Content
This issue breaks some stuff at work. I would appreciate if we can get the fix into 3.7.4. I wasn't aware that we are so close to cut-off to 3.7.4 release.


What does the fix do?
I moved all PHA related flags / options from SSL_CTX* to SSL*. The flags and options now depend on the socket type and existing flags.

For a server-side socket, the SSL_VERIFY_POST_HANDSHAKE verify flag is now only set when the server socket is configured to verify client certs. Server sockets without SSL_VERIFY_PEER flag don't set the option. The presence of SSL_VERIFY_POST_HANDSHAKE without SSL_VERIFY_PEER sometimes triggers handshake errors like "extension not received". The official documentation says "This flag must be used together with SSL_VERIFY_PEER.". The ssl.CERT_OPTIONAL and ssl.CERT_REQURED both set SSL_VERIFY_PEER. SSL_set_post_handshake_auth() is not enabled for server-side sockets.

For client side sockets, PHA is only enabled with SSL_set_post_handshake_auth(ssl, 1). The SSL_VERIFY_POST_HANDSHAKE flag is no longer set.

https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_post_handshake_auth.html
History
Date User Action Args
2019-06-28 13:59:05christian.heimessetrecipients: + christian.heimes, ned.deily, alex
2019-06-28 13:59:05christian.heimessetmessageid: <1561730345.73.0.962317312984.issue37428@roundup.psfhosted.org>
2019-06-28 13:59:05christian.heimeslinkissue37428 messages
2019-06-28 13:59:05christian.heimescreate