Enable peer verification with s_server's verify_return_error option

If the option is specified it will now implicitly enable peer verification.

The s_client command  was already behaved this way, so
s_server was updated to match the behavior of s_client.

Fixes #15134

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28445)

diff --git a/CHANGES.md b/CHANGES.md
index 7b7222bb1a0b5917b73a54b2ad92039dd8e2159b..6aab4733e1b444f200e027f76ba18024fb206a1d 100644 (file)
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -41,6 +41,11 @@ OpenSSL 4.0
 
    *Igor Ustinov*
 
+ * Enabled Server verification by default in `s_server` when option
+   verify_return_error is enabled.
+
+   *Ryan Hooper*
+
 OpenSSL 3.6
 -----------
 

diff --git a/apps/s_server.c b/apps/s_server.c
index 3edb53d00a4192894729e459e5da01aeef51e631..94f225f4426c36a76c1f0e917eabdd74c43c17f4 100644 (file)
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -1568,6 +1568,7 @@ int s_server_main(int argc, char *argv[])
                 goto end;
             break;
         case OPT_VERIFY_RET_ERROR:
+            s_server_verify = SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE;
             verify_args.return_error = 1;
             break;
         case OPT_VERIFY_QUIET: