Make auth_mode=required the default in ssl_client2

This commit is contained in:
Manuel Pégourié-Gonnard 2014-03-11 11:10:27 +01:00
parent e2ce2112ac
commit fcf2fc2960
3 changed files with 18 additions and 3 deletions

View file

@ -155,6 +155,8 @@ int main( int argc, char *argv[] )
printf( " ok\n" ); printf( " ok\n" );
ssl_set_endpoint( &ssl, SSL_IS_CLIENT ); ssl_set_endpoint( &ssl, SSL_IS_CLIENT );
/* OPTIONAL is not optimal for security,
* but makes interop easier in this simplified example */
ssl_set_authmode( &ssl, SSL_VERIFY_OPTIONAL ); ssl_set_authmode( &ssl, SSL_VERIFY_OPTIONAL );
ssl_set_ca_chain( &ssl, &cacert, NULL, "PolarSSL Server 1" ); ssl_set_ca_chain( &ssl, &cacert, NULL, "PolarSSL Server 1" );
@ -185,6 +187,7 @@ int main( int argc, char *argv[] )
*/ */
printf( " . Verifying peer X.509 certificate..." ); printf( " . Verifying peer X.509 certificate..." );
/* In real life, we may want to bail out when ret != 0 */
if( ( ret = ssl_get_verify_result( &ssl ) ) != 0 ) if( ( ret = ssl_get_verify_result( &ssl ) ) != 0 )
{ {
printf( " failed\n" ); printf( " failed\n" );

View file

@ -52,7 +52,7 @@
#define DFL_ALLOW_LEGACY SSL_LEGACY_NO_RENEGOTIATION #define DFL_ALLOW_LEGACY SSL_LEGACY_NO_RENEGOTIATION
#define DFL_MIN_VERSION -1 #define DFL_MIN_VERSION -1
#define DFL_MAX_VERSION -1 #define DFL_MAX_VERSION -1
#define DFL_AUTH_MODE SSL_VERIFY_OPTIONAL #define DFL_AUTH_MODE SSL_VERIFY_REQUIRED
#define DFL_MFL_CODE SSL_MAX_FRAG_LEN_NONE #define DFL_MFL_CODE SSL_MAX_FRAG_LEN_NONE
#define DFL_TRUNC_HMAC 0 #define DFL_TRUNC_HMAC 0
#define DFL_RECONNECT 0 #define DFL_RECONNECT 0
@ -216,7 +216,7 @@ static int my_verify( void *data, x509_crt *crt, int depth, int *flags )
" max_version=%%s default: \"\" (tls1_2)\n" \ " max_version=%%s default: \"\" (tls1_2)\n" \
" force_version=%%s default: \"\" (none)\n" \ " force_version=%%s default: \"\" (none)\n" \
" options: ssl3, tls1, tls1_1, tls1_2\n" \ " options: ssl3, tls1, tls1_1, tls1_2\n" \
" auth_mode=%%s default: \"optional\"\n" \ " auth_mode=%%s default: \"required\"\n" \
" options: none, optional, required\n" \ " options: none, optional, required\n" \
USAGE_MAX_FRAG_LEN \ USAGE_MAX_FRAG_LEN \
USAGE_TRUNC_HMAC \ USAGE_TRUNC_HMAC \
@ -737,7 +737,16 @@ int main( int argc, char *argv[] )
{ {
if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE ) if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE )
{ {
printf( " failed\n ! ssl_handshake returned -0x%x\n\n", -ret ); printf( " failed\n ! ssl_handshake returned -0x%x\n", -ret );
if( ret == POLARSSL_ERR_X509_CERT_VERIFY_FAILED )
printf(
" Unable to verify the server's certificate. "
"Either it is invalid,\n"
" or you didn't set ca_file or ca_path "
"to an appropriate value.\n"
" Alternatively, you may want to use "
"auth_mode=optional for testing purposes.\n" );
printf( "\n" );
goto exit; goto exit;
} }
} }

View file

@ -156,6 +156,7 @@ static int do_handshake( ssl_context *ssl, struct options *opt )
*/ */
printf( " . Verifying peer X.509 certificate..." ); printf( " . Verifying peer X.509 certificate..." );
/* In real life, we may want to bail out when ret != 0 */
if( ( ret = ssl_get_verify_result( ssl ) ) != 0 ) if( ( ret = ssl_get_verify_result( ssl ) ) != 0 )
{ {
printf( " failed\n" ); printf( " failed\n" );
@ -590,6 +591,8 @@ int main( int argc, char *argv[] )
printf( " ok\n" ); printf( " ok\n" );
ssl_set_endpoint( &ssl, SSL_IS_CLIENT ); ssl_set_endpoint( &ssl, SSL_IS_CLIENT );
/* OPTIONAL is not optimal for security,
* but makes interop easier in this simplified example */
ssl_set_authmode( &ssl, SSL_VERIFY_OPTIONAL ); ssl_set_authmode( &ssl, SSL_VERIFY_OPTIONAL );
ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg ); ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg );