Deprecate and no-op SSL_VERIFY_CLIENT_ONCE.

This is documented as "Only request a client certificate on the initial TLS/SSL handshake. Do not ask for a client certificate again in case of a renegotiation." Server-side renegotiation is gone. I'm not sure this flag has ever worked anyway, dating all the way back to SSLeay 0.8.1b. ssl_get_new_session overwrites s->session, so the old session->peer is lost. Change-Id: Ie173243e189c63272c368a55167b8596494fd59c Reviewed-on: https://boringssl-review.googlesource.com/4883 Reviewed-by: Adam Langley <agl@google.com>
9 år sedan · 5aea93e604
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -1528,6 +1528,7 @@ OPENSSL_EXPORT size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t coun
 #define SSL_VERIFY_NONE 0x00
 #define SSL_VERIFY_PEER 0x01
 #define SSL_VERIFY_FAIL_IF_NO_PEER_CERT 0x02
 /* SSL_VERIFY_CLIENT_ONCE does nothing. */
 #define SSL_VERIFY_CLIENT_ONCE 0x04
 #define SSL_VERIFY_PEER_IF_NO_OBC 0x08

--- a/ssl/d1_srvr.c
+++ b/ssl/d1_srvr.c
@@ -275,10 +275,6 @@ int dtls1_accept(SSL *s) {
      case SSL3_ST_SW_CERT_REQ_B:
        if (/* don't request cert unless asked for it: */
            !(s->verify_mode & SSL_VERIFY_PEER) ||
            /* if SSL_VERIFY_CLIENT_ONCE is set,
             * don't request cert during re-negotiation: */
            ((s->session->peer != NULL) &&
             (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) ||
            /* With normal PSK Certificates and
             * Certificate Requests are omitted */
            (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) {
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -342,10 +342,6 @@ int ssl3_accept(SSL *s) {
            /* Don't request a certificate if an obc was presented */
            ((s->verify_mode & SSL_VERIFY_PEER_IF_NO_OBC) &&
             s->s3->tlsext_channel_id_valid) ||
            /* if SSL_VERIFY_CLIENT_ONCE is set,
             * don't request cert during re-negotiation: */
            ((s->session->peer != NULL) &&
             (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) ||
            /* With normal PSK Certificates and
             * Certificate Requests are omitted */
            (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) {