Dr. Stephen Henson wrote: > On Tue, Nov 15, 2011, Tobias Nissen wrote: >> Dr. Stephen Henson wrote: >>> On Tue, Nov 15, 2011, Tobias Nissen wrote: >>>> I'm indirectly using OpenSSL through Net::SSLeay¹, which I use >>>> through AnyEvent::TLS². AnyEvent::TLS provides the means to >>>> define a custom verification mechanism by setting verify_cb³. >>>> Here's an example (keys included): >>>> >>>> http://paste.scsys.co.uk/159837 >>>> >>>> If the custom verification callback decides a peer is bad, it >>>> shall return 0 and return 1 otherwise. If 0 is returned, this >>>> warning is produced: >>>> >>>> ssl3_get_client_certificate: no certificate returned [...] >>> The warning isn't printed by OpenSSL it is an error code. So >>> perhaps the wrapper is printing the error? >> >> I didn't find it in either of the wrapper modules, but I did in >> OpenSSL: >> >> tobi@hal:~/src/openssl-1.0.0e$ rgrep "no certificate returned" * >> doc/ssleay.txt:Error because no certificate returned. >> ssl/ssl_err.c:{ERR_REASON(SSL_R_NO_CERTIFICATE_RETURNED),"no >> certificate returned"}, > > Yes but that's a textual version of the error. OpenSSL does not print > it out: an application call is needed to do that.
Ah OK. However, I checked with AnyEvent::TLS and Net::SSLeay, neither of those seems to emit this error message. SSLeay, which is what AnyEvent::TLS uses, imports a lot of OpenSSL macros, but not SSL_R_NO_CERTIFICATE_RETURNED. My guess is, that the error is put there by ssl/s3_srvr.c (line 2990, version 1.0.0e) and printed out by SSLeay. Can you confirm this? If that's the case, I'd like to know, how this warning is produced. AFAICS my custom verification callback "breaks" the verification chain, because of ssl_verify_cert_chain(s,sk) <= 0 I still don't quite understand the meaning of the warning message. Can/ should I just live with it or does it indicate a bug (in either OpenSSL, Net::SSLeay or AnyEvent::TLS)?
signature.asc
Description: PGP signature
