Make auth_mode=required the default in ssl_client2
diff --git a/programs/ssl/ssl_client1.c b/programs/ssl/ssl_client1.c
index a902376..eefb099 100644
--- a/programs/ssl/ssl_client1.c
+++ b/programs/ssl/ssl_client1.c
@@ -157,6 +157,8 @@
printf( " ok\n" );
ssl_set_endpoint( &ssl, SSL_IS_CLIENT );
+ /* OPTIONAL is not optimal for security,
+ * but makes interop easier in this simplified example */
ssl_set_authmode( &ssl, SSL_VERIFY_OPTIONAL );
ssl_set_ca_chain( &ssl, &cacert, NULL, "PolarSSL Server 1" );
@@ -187,6 +189,7 @@
*/
printf( " . Verifying peer X.509 certificate..." );
+ /* In real life, we may want to bail out when ret != 0 */
if( ( ret = ssl_get_verify_result( &ssl ) ) != 0 )
{
printf( " failed\n" );
diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index 2247d5c..b55cb0b 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -54,7 +54,7 @@
#define DFL_ALLOW_LEGACY SSL_LEGACY_NO_RENEGOTIATION
#define DFL_MIN_VERSION -1
#define DFL_MAX_VERSION -1
-#define DFL_AUTH_MODE SSL_VERIFY_OPTIONAL
+#define DFL_AUTH_MODE SSL_VERIFY_REQUIRED
#define GET_REQUEST "GET %s HTTP/1.0\r\n\r\n"
@@ -156,7 +156,7 @@
" max_version=%%s default: \"\" (tls1_2)\n" \
" force_version=%%s default: \"\" (none)\n" \
" options: ssl3, tls1, tls1_1, tls1_2\n" \
- " auth_mode=%%s default: \"optional\"\n" \
+ " auth_mode=%%s default: \"required\"\n" \
" options: none, optional, required\n" \
"\n" \
" force_ciphersuite=<name> default: all enabled\n"\
@@ -521,7 +521,16 @@
{
if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE )
{
- printf( " failed\n ! ssl_handshake returned -0x%x\n\n", -ret );
+ printf( " failed\n ! ssl_handshake returned -0x%x\n", -ret );
+ if( ret == POLARSSL_ERR_X509_CERT_VERIFY_FAILED )
+ printf(
+ " Unable to verify the server's certificate. "
+ "Either it is invalid,\n"
+ " or you didn't set ca_file or ca_path "
+ "to an appropriate value.\n"
+ " Alternatively, you may want to use "
+ "auth_mode=optional for testing purposes.\n" );
+ printf( "\n" );
goto exit;
}
}
diff --git a/programs/ssl/ssl_mail_client.c b/programs/ssl/ssl_mail_client.c
index eaa44b6..4f4524a 100644
--- a/programs/ssl/ssl_mail_client.c
+++ b/programs/ssl/ssl_mail_client.c
@@ -156,6 +156,7 @@
*/
printf( " . Verifying peer X.509 certificate..." );
+ /* In real life, we may want to bail out when ret != 0 */
if( ( ret = ssl_get_verify_result( ssl ) ) != 0 )
{
printf( " failed\n" );
@@ -589,6 +590,8 @@
printf( " ok\n" );
ssl_set_endpoint( &ssl, SSL_IS_CLIENT );
+ /* OPTIONAL is not optimal for security,
+ * but makes interop easier in this simplified example */
ssl_set_authmode( &ssl, SSL_VERIFY_OPTIONAL );
ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg );