openssl

History

Viktor Dukhovni f75b34c8c8 When strict SCT fails record verification failure Since with SSL_VERIFY_NONE, the connection may continue and the session may even be cached, we should save some evidence that the chain was not sufficiently verified and would have been rejected with SSL_VERIFY_PEER. To that end when a CT callback returs failure we set the verify result to X509_V_ERR_NO_VALID_SCTS. Note: We only run the CT callback in the first place if the verify result is still X509_V_OK prior to start of the callback. RT #4502 Reviewed-by: Tim Hudson <tjh@openssl.org>	2016-05-19 00:25:42 -04:00
..
internal	Copyright consolidation 03/10	2016-05-17 14:24:17 -04:00
openssl	When strict SCT fails record verification failure	2016-05-19 00:25:42 -04:00

Viktor Dukhovni f75b34c8c8 When strict SCT fails record verification failure

Since with SSL_VERIFY_NONE, the connection may continue and the
session may even be cached, we should save some evidence that the
chain was not sufficiently verified and would have been rejected
with SSL_VERIFY_PEER.  To that end when a CT callback returs failure
we set the verify result to X509_V_ERR_NO_VALID_SCTS.

Note: We only run the CT callback in the first place if the verify
result is still X509_V_OK prior to start of the callback.

RT #4502

Reviewed-by: Tim Hudson <tjh@openssl.org>

2016-05-19 00:25:42 -04:00

internal

2016-05-17 14:24:17 -04:00

openssl

When strict SCT fails record verification failure

2016-05-19 00:25:42 -04:00