Google Git
Sign in
pigweed / third_party / github / ARMmbed / mbedtls / fcf2fc29605f86c97339cf09ed0bca2446400cac^! / . / programs
commitfcf2fc29605f86c97339cf09ed0bca2446400cac[log] [tgz]
authorManuel Pégourié-Gonnard <mpg@elzevir.fr>Tue Mar 11 11:10:27 2014 +0100
committerManuel Pégourié-Gonnard <mpg@elzevir.fr>Thu Mar 13 19:25:07 2014 +0100
treea09697802ad2c7e83f2a1f9173f3fbef713e150e
parente2ce2112ac2d3ee583e17b377efe71f673322379 [diff]
Make auth_mode=required the default in ssl_client2

diff --git a/programs/ssl/ssl_client1.c b/programs/ssl/ssl_client1.c
index efb210e..11e04f3 100644
--- a/programs/ssl/ssl_client1.c
+++ b/programs/ssl/ssl_client1.c

@@ -155,6 +155,8 @@
     printf( " ok\n" );
 
     ssl_set_endpoint( &ssl, SSL_IS_CLIENT );
+    /* OPTIONAL is not optimal for security,
+     * but makes interop easier in this simplified example */
     ssl_set_authmode( &ssl, SSL_VERIFY_OPTIONAL );
     ssl_set_ca_chain( &ssl, &cacert, NULL, "PolarSSL Server 1" );
 
@@ -185,6 +187,7 @@
      */
     printf( "  . Verifying peer X.509 certificate..." );
 
+    /* In real life, we may want to bail out when ret != 0 */
     if( ( ret = ssl_get_verify_result( &ssl ) ) != 0 )
     {
         printf( " failed\n" );

diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index e8917e1..5f7c3be 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c

@@ -52,7 +52,7 @@
 #define DFL_ALLOW_LEGACY        SSL_LEGACY_NO_RENEGOTIATION
 #define DFL_MIN_VERSION         -1
 #define DFL_MAX_VERSION         -1
-#define DFL_AUTH_MODE           SSL_VERIFY_OPTIONAL
+#define DFL_AUTH_MODE           SSL_VERIFY_REQUIRED
 #define DFL_MFL_CODE            SSL_MAX_FRAG_LEN_NONE
 #define DFL_TRUNC_HMAC          0
 #define DFL_RECONNECT           0
@@ -216,7 +216,7 @@
     "    max_version=%%s      default: \"\" (tls1_2)\n"     \
     "    force_version=%%s    default: \"\" (none)\n"       \
     "                        options: ssl3, tls1, tls1_1, tls1_2\n" \
-    "    auth_mode=%%s        default: \"optional\"\n"          \
+    "    auth_mode=%%s        default: \"required\"\n"      \
     "                        options: none, optional, required\n" \
     USAGE_MAX_FRAG_LEN                                      \
     USAGE_TRUNC_HMAC                                        \
@@ -737,7 +737,16 @@
     {
         if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE )
         {
-            printf( " failed\n  ! ssl_handshake returned -0x%x\n\n", -ret );
+            printf( " failed\n  ! ssl_handshake returned -0x%x\n", -ret );
+            if( ret == POLARSSL_ERR_X509_CERT_VERIFY_FAILED )
+                printf(
+                    "    Unable to verify the server's certificate. "
+                        "Either it is invalid,\n"
+                    "    or you didn't set ca_file or ca_path "
+                        "to an appropriate value.\n"
+                    "    Alternatively, you may want to use "
+                        "auth_mode=optional for testing purposes.\n" );
+            printf( "\n" );
             goto exit;
         }
     }

diff --git a/programs/ssl/ssl_mail_client.c b/programs/ssl/ssl_mail_client.c
index a0e1cb6..8d1b060 100644
--- a/programs/ssl/ssl_mail_client.c
+++ b/programs/ssl/ssl_mail_client.c

@@ -156,6 +156,7 @@
      */
     printf( "  . Verifying peer X.509 certificate..." );
 
+    /* In real life, we may want to bail out when ret != 0 */
     if( ( ret = ssl_get_verify_result( ssl ) ) != 0 )
     {
         printf( " failed\n" );
@@ -590,6 +591,8 @@
     printf( " ok\n" );
 
     ssl_set_endpoint( &ssl, SSL_IS_CLIENT );
+    /* OPTIONAL is not optimal for security,
+     * but makes interop easier in this simplified example */
     ssl_set_authmode( &ssl, SSL_VERIFY_OPTIONAL );
 
     ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg );