]> git.ipfire.org Git - thirdparty/openssl.git/commit
projects / thirdparty / openssl.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: d69c014) | patch
With SSL_VERIFY_PEER client RPK should abort on X509 error
authorViktor Dukhovni <viktor@openssl.org>
Thu, 19 Dec 2024 17:25:15 +0000 (04:25 +1100)
committerNeil Horman <nhorman@openssl.org>
Tue, 11 Feb 2025 13:26:44 +0000 (08:26 -0500)
commit6ae8e947d8e3f3f03eeb7d9ad993e341791900bc
tree12569e3525812ae97b1403258ca48769152c3329tree
parentd69c014608acdfa37839d49412e6d6974ac539a0commit | diff
With SSL_VERIFY_PEER client RPK should abort on X509 error

While RPK performs X.509 checks correctly, at the SSL layer the
SSL_VERIFY_PEER flag was not honoured and connections were allowed to
complete even when the server was not verified.  The client can of
course determine this by calling SSL_get_verify_result(), but some
may not know to do this.

Added tests to make sure this does not regress.

Fixes CVE-2024-12797

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
ssl/statem/statem_clnt.c diff | blob | blame | history
test/rpktest.c diff | blob | blame | history
Mirror of https://github.com/openssl/openssl.git