From: Ryan Hooper <ryhooper@cisco.com>
Date: Thu, 28 Aug 2025 18:58:02 +0000 (-0400)
Subject: Enable peer verification with s_server's verify_return_error option
X-Git-Tag: 4.0-PRE-CLANG-FORMAT-WEBKIT~469
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e5f01903ed7c2872ab06c0a489c78e3224cbe213;p=thirdparty%2Fopenssl.git

Enable peer verification with s_server's verify_return_error option

If the option is specified it will now implicitly enable peer verification.

The s_client command  was already behaved this way, so
s_server was updated to match the behavior of s_client.

Fixes #15134

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28445)
---

diff --git a/CHANGES.md b/CHANGES.md
index 7b7222bb1a0..6aab4733e1b 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -41,6 +41,11 @@ OpenSSL 4.0
 
    *Igor Ustinov*
 
+ * Enabled Server verification by default in `s_server` when option
+   verify_return_error is enabled.
+
+   *Ryan Hooper*
+
 OpenSSL 3.6
 -----------
 
diff --git a/apps/s_server.c b/apps/s_server.c
index 3edb53d00a4..94f225f4426 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -1568,6 +1568,7 @@ int s_server_main(int argc, char *argv[])
                 goto end;
             break;
         case OPT_VERIFY_RET_ERROR:
+            s_server_verify = SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE;
             verify_args.return_error = 1;
             break;
         case OPT_VERIFY_QUIET: