Really ? As your post alarmed me, I tried my tests programs again and didn't noticed anything wrong. I have a server code whose context is configured with SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT and which do not call SSL_CTX_set_client_CA_list(). In this case, handshake is failing as expected when clients didn't send a certificate. OpenSSL Windows 32 bits version 1.1 from git repo yesterday. -----Message d'origine----- De?: openssl-users [mailto:openssl-users-bounces at openssl.org] De la part de Jeffrey Walton Envoy??: samedi 27 f?vrier 2016 22:22 ??: OpenSSL Users List Objet?: [openssl-users] Is verification supposed to fail with SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT without SSL_CTX_set_client_CA_list? This came up recently on Stack Overflow. The server code specified SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, but failed to call SSL_CTX_set_client_CA_list. The connection did not fail as expected. Looking at the man page for SSL_CTX_set_verify [1] and SSL_CTX_set_client_CA_list [2] it looks like the connection is supposed to fail. From [1]: SSL_VERIFY_FAIL_IF_NO_PEER_CERT Server mode: if the client did not return a certificate, the TLS/SSL handshake is immediately terminated with a "handshake failure" alert... Is verification supposed to fail with SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT regardless of the interactions with SSL_CTX_set_client_CA_list? Or is there a hidden dependency on SSL_CTX_set_client_CA_list?
