Reputation: 123
Can OpenSSL server know if SSL/TLS client ignore verifies 'sersver certificate'?
I write SSL/TLS server using OpenSSL API.
Some SSL/TLS client can ignore verify 'server certificate'. (e.g. msmtp --tls-certcheck=off)
SSL/TLS sever can know that SSL/TLS client ignore verify ?
I understand SSL_get_verify_result can not know that.
If no peer certificate was presented, the returned result code is X509_V_OK. This is because no verification error occurred, it does however not indicate success. SSL_get_verify_result() is only useful in connection with SSL_get_peer_certificate(3).
Doos OpenSSL have an API to know if the server certificate was ignored?
Upvotes: 0
Views: 246
Answers (1)
Reputation: 123260
Nothing in the TLS handshake indicates if a client does not validate the server certificate at all or not properly. Therefore no OpenSSL API could be created to return such information.
The only way a server could detect such a wrong behavior is to provide an invalid certificate and see if the client wrongly accepts it, i.e. continues with TLS handshake and sends application data.
Upvotes: 1
Related Questions
- TLSv1.3 client does not report failed handshake when client certificate verification by server failed
- OpenSSL Command to check if a server is presenting a certificate
- How to ignore certificate verification while using openssl s_client connect?
- In SSL handshake can we make the client send a certificate if the server sends CertificateRequest with empty 'Cert Authorities' list
- How to verify the client certificate during the tls handshake
- In OpenSSL 1.1.x, determine if a given SSL* corresponds to a server or client side of the connection
- Can java client know whether server requested certificate?
- Verify Incoming SSL Using OpenSSL S_Server
- How can the SSL client validate the server's certificate?
- Find client certificate information from server in OpenSSL