Make auth_mode=required the default in ssl_client2

2025-01-09 02:55:27 +00:00 · 2014-03-11 11:10:27 +01:00 · 2014-03-11 11:10:27 +01:00 · 516eb623df
parent 8a56d3044d
commit 516eb623df
3 changed files with 18 additions and 3 deletions
--- a/programs/ssl/ssl_client1.c
+++ b/programs/ssl/ssl_client1.c
@ -157,6 +157,8 @@ int main( int argc, char *argv[] )
    printf( " ok\n" );

    ssl_set_endpoint( &ssl, SSL_IS_CLIENT );
+    /* OPTIONAL is not optimal for security,
+     * but makes interop easier in this simplified example */
    ssl_set_authmode( &ssl, SSL_VERIFY_OPTIONAL );
    ssl_set_ca_chain( &ssl, &cacert, NULL, "PolarSSL Server 1" );

@ -187,6 +189,7 @@ int main( int argc, char *argv[] )
     */
    printf( "  . Verifying peer X.509 certificate..." );

+    /* In real life, we may want to bail out when ret != 0 */
    if( ( ret = ssl_get_verify_result( &ssl ) ) != 0 )
    {
        printf( " failed\n" );
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@ -54,7 +54,7 @@
 #define DFL_ALLOW_LEGACY        SSL_LEGACY_NO_RENEGOTIATION
 #define DFL_MIN_VERSION         -1
 #define DFL_MAX_VERSION         -1
-#define DFL_AUTH_MODE           SSL_VERIFY_OPTIONAL
+#define DFL_AUTH_MODE           SSL_VERIFY_REQUIRED

 #define GET_REQUEST "GET %s HTTP/1.0\r\n\r\n"

@ -156,7 +156,7 @@ int my_verify( void *data, x509_cert *crt, int depth, int *flags )
    "    max_version=%%s      default: \"\" (tls1_2)\n"     \
    "    force_version=%%s    default: \"\" (none)\n"       \
    "                        options: ssl3, tls1, tls1_1, tls1_2\n" \
-    "    auth_mode=%%s        default: \"optional\"\n"          \
+    "    auth_mode=%%s        default: \"required\"\n"      \
    "                        options: none, optional, required\n" \
    "\n"                                                    \
    "    force_ciphersuite=<name>    default: all enabled\n"\
@ -521,7 +521,16 @@ int main( int argc, char *argv[] )
    {
        if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE )
        {
-            printf( " failed\n  ! ssl_handshake returned -0x%x\n\n", -ret );
+            printf( " failed\n  ! ssl_handshake returned -0x%x\n", -ret );
+            if( ret == POLARSSL_ERR_X509_CERT_VERIFY_FAILED )
+                printf(
+                    "    Unable to verify the server's certificate. "
+                        "Either it is invalid,\n"
+                    "    or you didn't set ca_file or ca_path "
+                        "to an appropriate value.\n"
+                    "    Alternatively, you may want to use "
+                        "auth_mode=optional for testing purposes.\n" );
+            printf( "\n" );
            goto exit;
        }
    }
--- a/programs/ssl/ssl_mail_client.c
+++ b/programs/ssl/ssl_mail_client.c
@ -156,6 +156,7 @@ int do_handshake( ssl_context *ssl, struct options *opt )
     */
    printf( "  . Verifying peer X.509 certificate..." );

+    /* In real life, we may want to bail out when ret != 0 */
    if( ( ret = ssl_get_verify_result( ssl ) ) != 0 )
    {
        printf( " failed\n" );
@ -589,6 +590,8 @@ int main( int argc, char *argv[] )
    printf( " ok\n" );

    ssl_set_endpoint( &ssl, SSL_IS_CLIENT );
+    /* OPTIONAL is not optimal for security,
+     * but makes interop easier in this simplified example */
    ssl_set_authmode( &ssl, SSL_VERIFY_OPTIONAL );

    ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg );