diff --git a/ChangeLog b/ChangeLog index 10aea3608..e8f63d13a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -41,6 +41,7 @@ Default behavior changes default ciphersuite list returned by ssl_list_ciphersuites() * Support for receiving SSLv2 ClientHello is now disabled by default at compile time. + * The default authmode for SSL/TLS clients is now REQUIRED. Changes * Remove test program o_p_test, the script compat.sh does more. diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 2642ac65b..abe004cc1 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1156,8 +1156,9 @@ int ssl_set_transport( ssl_context *ssl, int transport ); * \param ssl SSL context * \param authmode can be: * - * SSL_VERIFY_NONE: peer certificate is not checked (default), - * this is insecure and SHOULD be avoided. + * SSL_VERIFY_NONE: peer certificate is not checked + * (default on server) + * (insecure on client) * * SSL_VERIFY_OPTIONAL: peer certificate is checked, however the * handshake continues even if verification failed; diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 25f3a02a1..e87731535 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -5195,7 +5195,10 @@ void ssl_set_endpoint( ssl_context *ssl, int endpoint ) #if defined(POLARSSL_SSL_SESSION_TICKETS) && \ defined(POLARSSL_SSL_CLI_C) if( endpoint == SSL_IS_CLIENT ) + { ssl->session_tickets = SSL_SESSION_TICKETS_ENABLED; + ssl->authmode = SSL_VERIFY_REQUIRED; + } #endif #if defined(POLARSSL_SSL_TRUNCATED_HMAC) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 93ab15bd9..92599766d 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -86,7 +86,7 @@ #define DFL_MIN_VERSION SSL_MINOR_VERSION_1 #define DFL_MAX_VERSION -1 #define DFL_ARC4 -1 -#define DFL_AUTH_MODE SSL_VERIFY_REQUIRED +#define DFL_AUTH_MODE -1 #define DFL_MFL_CODE SSL_MAX_FRAG_LEN_NONE #define DFL_TRUNC_HMAC -1 #define DFL_RECSPLIT -1 @@ -229,7 +229,7 @@ "\n" \ USAGE_DTLS \ "\n" \ - " auth_mode=%%s default: \"required\"\n" \ + " auth_mode=%%s default: (library default: none)\n" \ " options: none, optional, required\n" \ USAGE_IO \ "\n" \ @@ -249,7 +249,7 @@ USAGE_ETM \ USAGE_RECSPLIT \ "\n" \ - " arc4=%%d default: (library default)\n" \ + " arc4=%%d default: (library default: 0)\n" \ " min_version=%%s default: \"\" (ssl3)\n" \ " max_version=%%s default: \"\" (tls1_2)\n" \ " force_version=%%s default: \"\" (none)\n" \ @@ -1074,7 +1074,8 @@ int main( int argc, char *argv[] ) #endif ssl_set_endpoint( &ssl, SSL_IS_CLIENT ); - ssl_set_authmode( &ssl, opt.auth_mode ); + if( opt.auth_mode != DFL_AUTH_MODE ) + ssl_set_authmode( &ssl, opt.auth_mode ); #if defined(POLARSSL_SSL_PROTO_DTLS) if( ( ret = ssl_set_transport( &ssl, opt.transport ) ) != 0 ) diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 8a3010fbd..c2beec79e 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -102,7 +102,7 @@ #define DFL_MIN_VERSION SSL_MINOR_VERSION_1 #define DFL_MAX_VERSION -1 #define DFL_ARC4 -1 -#define DFL_AUTH_MODE SSL_VERIFY_OPTIONAL +#define DFL_AUTH_MODE -1 #define DFL_MFL_CODE SSL_MAX_FRAG_LEN_NONE #define DFL_TRUNC_HMAC -1 #define DFL_TICKETS SSL_SESSION_TICKETS_ENABLED @@ -296,7 +296,7 @@ USAGE_ANTI_REPLAY \ USAGE_BADMAC_LIMIT \ "\n" \ - " auth_mode=%%s default: \"optional\"\n" \ + " auth_mode=%%s default: (library default: required)\n" \ " options: none, optional, required\n" \ USAGE_IO \ USAGE_SNI \ @@ -315,7 +315,7 @@ USAGE_EMS \ USAGE_ETM \ "\n" \ - " arc4=%%d default: (library default)\n" \ + " arc4=%%d default: (library default: 0)\n" \ " min_version=%%s default: \"ssl3\"\n" \ " max_version=%%s default: \"tls1_2\"\n" \ " force_version=%%s default: \"\" (none)\n" \ @@ -1524,7 +1524,8 @@ int main( int argc, char *argv[] ) } ssl_set_endpoint( &ssl, SSL_IS_SERVER ); - ssl_set_authmode( &ssl, opt.auth_mode ); + if( opt.auth_mode != DFL_AUTH_MODE ) + ssl_set_authmode( &ssl, opt.auth_mode ); #if defined(POLARSSL_SSL_PROTO_DTLS) if( ( ret = ssl_set_transport( &ssl, opt.transport ) ) != 0 ) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 82d123894..c42e98e01 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -1164,7 +1164,7 @@ run_test "Max fragment length: DTLS client, larger message" \ # Tests for renegotiation run_test "Renegotiation: none, for reference" \ - "$P_SRV debug_level=3 exchanges=2" \ + "$P_SRV debug_level=3 exchanges=2 auth_mode=optional" \ "$P_CLI debug_level=3 exchanges=2" \ 0 \ -C "client hello, adding renegotiation extension" \ @@ -1177,7 +1177,7 @@ run_test "Renegotiation: none, for reference" \ -S "write hello request" run_test "Renegotiation: client-initiated" \ - "$P_SRV debug_level=3 exchanges=2 renegotiation=1" \ + "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional" \ "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \ 0 \ -c "client hello, adding renegotiation extension" \ @@ -1190,7 +1190,7 @@ run_test "Renegotiation: client-initiated" \ -S "write hello request" run_test "Renegotiation: server-initiated" \ - "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \ + "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \ "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \ 0 \ -c "client hello, adding renegotiation extension" \ @@ -1203,7 +1203,7 @@ run_test "Renegotiation: server-initiated" \ -s "write hello request" run_test "Renegotiation: double" \ - "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \ + "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \ "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \ 0 \ -c "client hello, adding renegotiation extension" \ @@ -1216,7 +1216,7 @@ run_test "Renegotiation: double" \ -s "write hello request" run_test "Renegotiation: client-initiated, server-rejected" \ - "$P_SRV debug_level=3 exchanges=2 renegotiation=0" \ + "$P_SRV debug_level=3 exchanges=2 renegotiation=0 auth_mode=optional" \ "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \ 1 \ -c "client hello, adding renegotiation extension" \ @@ -1231,7 +1231,7 @@ run_test "Renegotiation: client-initiated, server-rejected" \ -c "failed" run_test "Renegotiation: server-initiated, client-rejected, default" \ - "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \ + "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 auth_mode=optional" \ "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \ 0 \ -C "client hello, adding renegotiation extension" \ @@ -1247,7 +1247,7 @@ run_test "Renegotiation: server-initiated, client-rejected, default" \ run_test "Renegotiation: server-initiated, client-rejected, not enforced" \ "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \ - renego_delay=-1" \ + renego_delay=-1 auth_mode=optional" \ "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \ 0 \ -C "client hello, adding renegotiation extension" \ @@ -1264,7 +1264,7 @@ run_test "Renegotiation: server-initiated, client-rejected, not enforced" \ # delay 2 for 1 alert record + 1 application data record run_test "Renegotiation: server-initiated, client-rejected, delay 2" \ "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \ - renego_delay=2" \ + renego_delay=2 auth_mode=optional" \ "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \ 0 \ -C "client hello, adding renegotiation extension" \ @@ -1280,7 +1280,7 @@ run_test "Renegotiation: server-initiated, client-rejected, delay 2" \ run_test "Renegotiation: server-initiated, client-rejected, delay 0" \ "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \ - renego_delay=0" \ + renego_delay=0 auth_mode=optional" \ "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \ 0 \ -C "client hello, adding renegotiation extension" \ @@ -1295,7 +1295,7 @@ run_test "Renegotiation: server-initiated, client-rejected, delay 0" \ run_test "Renegotiation: server-initiated, client-accepted, delay 0" \ "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \ - renego_delay=0" \ + renego_delay=0 auth_mode=optional" \ "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \ 0 \ -c "client hello, adding renegotiation extension" \ @@ -1310,7 +1310,7 @@ run_test "Renegotiation: server-initiated, client-accepted, delay 0" \ -S "failed" run_test "Renegotiation: periodic, just below period" \ - "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3" \ + "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \ "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \ 0 \ -C "client hello, adding renegotiation extension" \ @@ -1327,7 +1327,7 @@ run_test "Renegotiation: periodic, just below period" \ # one extra exchange to be able to complete renego run_test "Renegotiation: periodic, just above period" \ - "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3" \ + "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \ "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \ 0 \ -c "client hello, adding renegotiation extension" \ @@ -1343,7 +1343,7 @@ run_test "Renegotiation: periodic, just above period" \ -S "failed" run_test "Renegotiation: periodic, two times period" \ - "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3" \ + "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \ "$P_CLI debug_level=3 exchanges=7 renegotiation=1" \ 0 \ -c "client hello, adding renegotiation extension" \ @@ -1359,7 +1359,7 @@ run_test "Renegotiation: periodic, two times period" \ -S "failed" run_test "Renegotiation: periodic, above period, disabled" \ - "$P_SRV debug_level=3 exchanges=9 renegotiation=0 renego_period=3" \ + "$P_SRV debug_level=3 exchanges=9 renegotiation=0 renego_period=3 auth_mode=optional" \ "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \ 0 \ -C "client hello, adding renegotiation extension" \ @@ -1375,7 +1375,7 @@ run_test "Renegotiation: periodic, above period, disabled" \ -S "failed" run_test "Renegotiation: nbio, client-initiated" \ - "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1" \ + "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 auth_mode=optional" \ "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1" \ 0 \ -c "client hello, adding renegotiation extension" \ @@ -1388,7 +1388,7 @@ run_test "Renegotiation: nbio, client-initiated" \ -S "write hello request" run_test "Renegotiation: nbio, server-initiated" \ - "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1" \ + "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1 auth_mode=optional" \ "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1" \ 0 \ -c "client hello, adding renegotiation extension" \