diff --git a/programs/ssl/ssl_client1.c b/programs/ssl/ssl_client1.c index a90237686..eefb099c0 100644 --- a/programs/ssl/ssl_client1.c +++ b/programs/ssl/ssl_client1.c @@ -157,6 +157,8 @@ int main( int argc, char *argv[] ) printf( " ok\n" ); ssl_set_endpoint( &ssl, SSL_IS_CLIENT ); + /* OPTIONAL is not optimal for security, + * but makes interop easier in this simplified example */ ssl_set_authmode( &ssl, SSL_VERIFY_OPTIONAL ); ssl_set_ca_chain( &ssl, &cacert, NULL, "PolarSSL Server 1" ); @@ -187,6 +189,7 @@ int main( int argc, char *argv[] ) */ printf( " . Verifying peer X.509 certificate..." ); + /* In real life, we may want to bail out when ret != 0 */ if( ( ret = ssl_get_verify_result( &ssl ) ) != 0 ) { printf( " failed\n" ); diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 2247d5c26..b55cb0bf1 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -54,7 +54,7 @@ #define DFL_ALLOW_LEGACY SSL_LEGACY_NO_RENEGOTIATION #define DFL_MIN_VERSION -1 #define DFL_MAX_VERSION -1 -#define DFL_AUTH_MODE SSL_VERIFY_OPTIONAL +#define DFL_AUTH_MODE SSL_VERIFY_REQUIRED #define GET_REQUEST "GET %s HTTP/1.0\r\n\r\n" @@ -156,7 +156,7 @@ int my_verify( void *data, x509_cert *crt, int depth, int *flags ) " max_version=%%s default: \"\" (tls1_2)\n" \ " force_version=%%s default: \"\" (none)\n" \ " options: ssl3, tls1, tls1_1, tls1_2\n" \ - " auth_mode=%%s default: \"optional\"\n" \ + " auth_mode=%%s default: \"required\"\n" \ " options: none, optional, required\n" \ "\n" \ " force_ciphersuite= default: all enabled\n"\ @@ -521,7 +521,16 @@ int main( int argc, char *argv[] ) { if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE ) { - printf( " failed\n ! ssl_handshake returned -0x%x\n\n", -ret ); + printf( " failed\n ! ssl_handshake returned -0x%x\n", -ret ); + if( ret == POLARSSL_ERR_X509_CERT_VERIFY_FAILED ) + printf( + " Unable to verify the server's certificate. " + "Either it is invalid,\n" + " or you didn't set ca_file or ca_path " + "to an appropriate value.\n" + " Alternatively, you may want to use " + "auth_mode=optional for testing purposes.\n" ); + printf( "\n" ); goto exit; } } diff --git a/programs/ssl/ssl_mail_client.c b/programs/ssl/ssl_mail_client.c index eaa44b648..4f4524aab 100644 --- a/programs/ssl/ssl_mail_client.c +++ b/programs/ssl/ssl_mail_client.c @@ -156,6 +156,7 @@ int do_handshake( ssl_context *ssl, struct options *opt ) */ printf( " . Verifying peer X.509 certificate..." ); + /* In real life, we may want to bail out when ret != 0 */ if( ( ret = ssl_get_verify_result( ssl ) ) != 0 ) { printf( " failed\n" ); @@ -589,6 +590,8 @@ int main( int argc, char *argv[] ) printf( " ok\n" ); ssl_set_endpoint( &ssl, SSL_IS_CLIENT ); + /* OPTIONAL is not optimal for security, + * but makes interop easier in this simplified example */ ssl_set_authmode( &ssl, SSL_VERIFY_OPTIONAL ); ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg );