artulab
projects / openbsd / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 8022666) | patch
Only enable SSL_VERIFY_PEER when the verify option is set on a listener.
authorjsing <jsing@openbsd.org>
Wed, 21 Oct 2015 16:44:28 +0000 (16:44 +0000)
committerjsing <jsing@openbsd.org>
Wed, 21 Oct 2015 16:44:28 +0000 (16:44 +0000)
commit735c6a189a721f451e7d7dc170c4279675be1e3a
tree24bfd2b5e0e0fa006b131d93c50869c3ae770bf3tree | snapshot
parent802266603cce119af8f1945c8a6a944e47363637commit | diff
Only enable SSL_VERIFY_PEER when the verify option is set on a listener.

Always enabling SSL_VERIFY_PEER unnecessarily increases the number of
messages/bytes in the TLS handshake and increases our attack surface,
since we request and then process client certificates.

ok gilles@
usr.sbin/smtpd/smtp_session.c diff | blob | history
usr.sbin/smtpd/smtpd.h diff | blob | history
usr.sbin/smtpd/ssl_smtpd.c diff | blob | history
OpenBSD src
by Ahmet Artu Yildirim