Message346818
This issue breaks some stuff at work. I would appreciate if we can get the fix into 3.7.4. I wasn't aware that we are so close to cut-off to 3.7.4 release.
What does the fix do?
I moved all PHA related flags / options from SSL_CTX* to SSL*. The flags and options now depend on the socket type and existing flags.
For a server-side socket, the SSL_VERIFY_POST_HANDSHAKE verify flag is now only set when the server socket is configured to verify client certs. Server sockets without SSL_VERIFY_PEER flag don't set the option. The presence of SSL_VERIFY_POST_HANDSHAKE without SSL_VERIFY_PEER sometimes triggers handshake errors like "extension not received". The official documentation says "This flag must be used together with SSL_VERIFY_PEER.". The ssl.CERT_OPTIONAL and ssl.CERT_REQURED both set SSL_VERIFY_PEER. SSL_set_post_handshake_auth() is not enabled for server-side sockets.
For client side sockets, PHA is only enabled with SSL_set_post_handshake_auth(ssl, 1). The SSL_VERIFY_POST_HANDSHAKE flag is no longer set.
https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_post_handshake_auth.html |
|
Date |
User |
Action |
Args |
2019-06-28 13:59:05 | christian.heimes | set | recipients:
+ christian.heimes, ned.deily, alex |
2019-06-28 13:59:05 | christian.heimes | set | messageid: <1561730345.73.0.962317312984.issue37428@roundup.psfhosted.org> |
2019-06-28 13:59:05 | christian.heimes | link | issue37428 messages |
2019-06-28 13:59:05 | christian.heimes | create | |
|