Hello Openssl dev team,
Currently we are using openssl 0.9.8q version. Earlier we have used openssl
0.9.8k.
We have seen change in the return value handling of ssl_verify_cert_chain()
at function ssl3_get_client_certificate().
At openssl 0.9.8k, ssl_verify_cert_chain() is handled like this
else {
i=ssl_verify_cert_chain(s,sc->cert_chain); if (i < 0)
{ ret = i;
goto err; } else if
(i == 0) {
al=ssl_verify_alarm_type(s->verify_result);
* \*
SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIFICATE_RETURNED);
goto f_err; }
}
But at openssl 0.9.8q, same code is changed as
else
{
i=ssl_verify_cert_chain(s,sk);
if (i <= 0)
{
al=ssl_verify_alarm_type(s->verify_result);
SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIFICATE_RETURNED);
goto f_err;
}
}
Is there any reason behind this change?
Currently we have registered with our callback functions to perform
verification of certificates. In our code, we return negative values
if CRL fetch//certificate verifitication is in progress. Due to this,
current openssl0.9.8q, is treating the negative values as error and
sending an alert and clearing its session.
Same code worked with openssl0.9.8k because OPENSSL is not treating
negative value as error.
Is there any way we can get out of this situation with openssl0.9.8q?
Thanks & Regards,
Rajeswari.
