From 4a2ca4eb5d0b089ce2f70d94a1c92c0504b88332 Mon Sep 17 00:00:00 2001 From: Sebastian Reimers Date: Mon, 3 Jun 2024 15:18:41 +0200 Subject: [PATCH 1/9] tls: refactoring sni ctx usage for libressl support --- src/tls/openssl/sni.c | 32 +----- src/tls/openssl/tls.c | 250 +++++++++++++++--------------------------- src/tls/openssl/tls.h | 3 +- 3 files changed, 95 insertions(+), 190 deletions(-) diff --git a/src/tls/openssl/sni.c b/src/tls/openssl/sni.c index 1f02f707b..5c32d4103 100644 --- a/src/tls/openssl/sni.c +++ b/src/tls/openssl/sni.c @@ -19,12 +19,10 @@ #include "tls.h" -#define DEBUG_MODULE "tls" +#define DEBUG_MODULE "tls/sni" #define DEBUG_LEVEL 5 #include -#if !defined(LIBRESSL_VERSION_NUMBER) - struct tls_conn; @@ -161,28 +159,6 @@ static int ssl_set_verify_client(SSL *ssl, const char *host) } -static int ssl_use_cert(SSL *ssl, struct tls_cert *uc) -{ - int err; - long r; - - SSL_certs_clear(ssl); - r = SSL_clear_chain_certs(ssl); - if (r != 1) - return EINVAL; - - r = SSL_use_cert_and_key(ssl, tls_cert_x509(uc), tls_cert_pkey(uc), - tls_cert_chain(uc), 1); - if (r != 1) { - ERR_clear_error(); - return EINVAL; - } - - err = ssl_set_verify_client(ssl, tls_cert_host(uc)); - return err; -} - - static int ssl_servername_handler(SSL *ssl, int *al, void *arg) { struct tls *tls = arg; @@ -200,7 +176,9 @@ static int ssl_servername_handler(SSL *ssl, int *al, void *arg) goto out; DEBUG_INFO("found cert for sni %s\n", sni); - (void)ssl_use_cert(ssl, uc); + SSL_set_SSL_CTX(ssl, tls_cert_ctx(uc)); + + (void)ssl_set_verify_client(ssl, tls_cert_host(uc)); out: return SSL_TLSEXT_ERR_OK; @@ -218,5 +196,3 @@ void tls_enable_sni(struct tls *tls) ssl_servername_handler); SSL_CTX_set_tlsext_servername_arg(tls_ssl_ctx(tls), tls); } - -#endif /* !defined(LIBRESSL_VERSION_NUMBER) */ diff --git a/src/tls/openssl/tls.c b/src/tls/openssl/tls.c index b53f70283..f1eaeea64 100644 --- a/src/tls/openssl/tls.c +++ b/src/tls/openssl/tls.c @@ -58,9 +58,7 @@ struct tls { */ struct tls_cert { struct le le; - X509 *x509; - EVP_PKEY *pkey; - STACK_OF(X509) *chain; + SSL_CTX *ctx; char *host; }; @@ -164,7 +162,6 @@ static int keytype2int(enum tls_keytype type) } -#if !defined(LIBRESSL_VERSION_NUMBER) /** * OpenSSL verify handler for debugging purposes. Prints only warnings in the * default build @@ -207,7 +204,6 @@ int tls_verify_handler(int ok, X509_STORE_CTX *ctx) return ok; } -#endif static int tls_verify_idx = -1; @@ -223,43 +219,26 @@ static void tls_init_verify_idx(void) } -/** - * Allocate a new TLS context - * - * @param tlsp Pointer to allocated TLS context - * @param method TLS method - * @param keyfile Optional private key file - * @param pwd Optional password - * - * @return 0 if success, otherwise errorcode - */ -int tls_alloc(struct tls **tlsp, enum tls_method method, const char *keyfile, - const char *pwd) +static int tls_ctx_alloc(SSL_CTX **ctxp, enum tls_method method, + const char *certf, const char *pwd, struct tls *tls) { - struct tls *tls; - int r, err; + int err = 0; + int r; + SSL_CTX *ctx; int min_proto = 0; - if (!tlsp) - return EINVAL; - - tls = mem_zalloc(sizeof(*tls), destructor); - if (!tls) - return ENOMEM; - - tls->verify_server = true; switch (method) { case TLS_METHOD_TLS: case TLS_METHOD_SSLV23: - tls->ctx = SSL_CTX_new(TLS_method()); + ctx = SSL_CTX_new(TLS_method()); min_proto = TLS1_2_VERSION; break; case TLS_METHOD_DTLS: case TLS_METHOD_DTLSV1: case TLS_METHOD_DTLSV1_2: - tls->ctx = SSL_CTX_new(DTLS_method()); + ctx = SSL_CTX_new(DTLS_method()); break; default: @@ -268,51 +247,87 @@ int tls_alloc(struct tls **tlsp, enum tls_method method, const char *keyfile, goto out; } - if (!tls->ctx) { + if (!ctx) { ERR_clear_error(); err = ENOMEM; goto out; } - err = tls_set_min_proto_version(tls, min_proto); - if (err) - goto out; + SSL_CTX_set_min_proto_version(ctx, min_proto); -#if defined(TRACE_SSL) - SSL_CTX_set_keylog_callback(tls->ctx, tls_keylogger_cb); -#endif + if (!certf) + goto out; /* Load our keys and certificates */ - if (keyfile) { - if (pwd) { - err = str_dup(&tls->pass, pwd); - if (err) - goto out; + if (pwd && tls) { + err = str_dup(&tls->pass, pwd); + if (err) + goto out; - SSL_CTX_set_default_passwd_cb(tls->ctx, password_cb); - SSL_CTX_set_default_passwd_cb_userdata(tls->ctx, tls); - } + SSL_CTX_set_default_passwd_cb(ctx, password_cb); + SSL_CTX_set_default_passwd_cb_userdata(ctx, tls); + } - r = SSL_CTX_use_certificate_chain_file(tls->ctx, keyfile); - if (r <= 0) { - DEBUG_WARNING("Can't read certificate file: %s (%d)\n", - keyfile, r); - ERR_clear_error(); - err = EINVAL; - goto out; - } + r = SSL_CTX_use_certificate_chain_file(ctx, certf); + if (r <= 0) { + DEBUG_WARNING("Can't read certificate file: %s (%d)\n", certf, + r); + ERR_clear_error(); + err = EINVAL; + goto out; + } - r = SSL_CTX_use_PrivateKey_file(tls->ctx, keyfile, - SSL_FILETYPE_PEM); - if (r <= 0) { - DEBUG_WARNING("Can't read key file: %s (%d)\n", - keyfile, r); - ERR_clear_error(); - err = EINVAL; - goto out; - } + r = SSL_CTX_use_PrivateKey_file(ctx, certf, SSL_FILETYPE_PEM); + if (r <= 0) { + DEBUG_WARNING("Can't read key file: %s (%d)\n", certf, r); + ERR_clear_error(); + err = EINVAL; + goto out; } +out: + if (err) + SSL_CTX_free(ctx); + else + *ctxp = ctx; + + return err; +} + + +/** + * Allocate a new TLS context + * + * @param tlsp Pointer to allocated TLS context + * @param method TLS method + * @param keyfile Optional private key file + * @param pwd Optional password + * + * @return 0 if success, otherwise errorcode + */ +int tls_alloc(struct tls **tlsp, enum tls_method method, const char *keyfile, + const char *pwd) +{ + struct tls *tls; + int err; + + if (!tlsp) + return EINVAL; + + tls = mem_zalloc(sizeof(*tls), destructor); + if (!tls) + return ENOMEM; + + err = tls_ctx_alloc(&tls->ctx, method, keyfile, pwd, tls); + if (err) + goto out; + + tls->verify_server = true; + +#if defined(TRACE_SSL) + SSL_CTX_set_keylog_callback(tls->ctx, tls_keylogger_cb); +#endif + err = hash_alloc(&tls->reuse.ht_sessions, 256); if (err) goto out; @@ -1405,7 +1420,6 @@ int tls_set_ciphers(struct tls *tls, const char *cipherv[], size_t count) */ int tls_set_verify_server(struct tls_conn *tc, const char *host) { -#if !defined(LIBRESSL_VERSION_NUMBER) struct sa sa; if (!tc || !host) @@ -1434,12 +1448,6 @@ int tls_set_verify_server(struct tls_conn *tc, const char *host) SSL_set_verify(tc->ssl, SSL_VERIFY_PEER, tls_verify_handler); return 0; -#else - (void)tc; - (void)host; - - return ENOSYS; -#endif } @@ -1947,17 +1955,12 @@ SSL_CTX *tls_ssl_ctx(const struct tls *tls) } -#if !defined(LIBRESSL_VERSION_NUMBER) static void tls_cert_destructor(void *arg) { struct tls_cert *uc = arg; mem_deref(uc->host); - X509_free(uc->x509); - EVP_PKEY_free(uc->pkey); - sk_X509_pop_free(uc->chain, X509_free); } -#endif /** @@ -1973,11 +1976,8 @@ static void tls_cert_destructor(void *arg) */ int tls_add_certf(struct tls *tls, const char *certf, const char *host) { -#if !defined(LIBRESSL_VERSION_NUMBER) struct tls_cert *uc; - BIO *bio = NULL; int err = 0; - int ret; if (!tls || !certf) return EINVAL; @@ -1989,73 +1989,24 @@ int tls_add_certf(struct tls *tls, const char *certf, const char *host) if (str_isset(host)) { err = str_dup(&uc->host, host); if (err) - goto out; + goto err; } - bio = BIO_new_file(certf, "r"); - if (!bio) { - err = EIO; - goto out; - } - - uc->x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL); - if (!uc->x509) { - DEBUG_WARNING("Can't read certificate from file: %s\n", certf); - err = ENOTSUP; - goto out; - } - - while (1) { - X509 *ca = PEM_read_bio_X509(bio, NULL, 0, NULL); - if (!ca) - break; - - if (!uc->chain) - uc->chain = sk_X509_new_null(); - - if (!uc->chain) { - err = ENOMEM; - goto out; - } - - if (!sk_X509_push(uc->chain, ca)) { - err = ENOMEM; - goto out; - } - } + err = tls_ctx_alloc(&uc->ctx, TLS_METHOD_TLS, certf, NULL, NULL); + if (err) + goto err; - ret = BIO_reset(bio); - if (ret < 0 || !bio) { - err = EIO; - goto out; - } + list_append(&tls->certs, &uc->le, uc); + if (list_count(&tls->certs) == 1) + tls_enable_sni(tls); - uc->pkey = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL); - if (!uc->pkey) { - DEBUG_WARNING("Can't read private key from file: %s\n", certf); - err = ENOTSUP; - goto out; - } + return 0; -out: - BIO_free(bio); - if (err) { - ERR_clear_error(); - mem_deref(uc); - } - else { - list_append(&tls->certs, &uc->le, uc); - if (list_count(&tls->certs) == 1) - tls_enable_sni(tls); - } +err: + ERR_clear_error(); + mem_deref(uc); return err; -#else - (void)tls; - (void)certf; - (void)host; - return ENOSYS; -#endif } @@ -2068,36 +2019,15 @@ int tls_add_certf(struct tls *tls, const char *certf, const char *host) */ X509 *tls_cert_x509(struct tls_cert *hc) { - return hc ? hc->x509 : NULL; + return hc ? SSL_CTX_get0_certificate(hc->ctx) : NULL; } -/** - * Returns the private key of the TLS certificate - * - * @param hc TLS certificate - * - * @return The OpenSSL EVP_PKEY - */ -EVP_PKEY *tls_cert_pkey(struct tls_cert *hc) -{ - return hc ? hc->pkey : NULL; -} - +SSL_CTX *tls_cert_ctx(struct tls_cert *hc) { -/* - * Returns the certificate chain of the TLS certificate - * - * @param hc TLS certificate - * - * @return The OpenSSL stack of X509 - */ -struct stack_st_X509 *tls_cert_chain(struct tls_cert *hc) -{ - return hc ? hc->chain : NULL; + return hc ? hc->ctx : NULL; } - /** * Returns the host name of the TLS certificate * diff --git a/src/tls/openssl/tls.h b/src/tls/openssl/tls.h index 7094c9d69..c58eb5961 100644 --- a/src/tls/openssl/tls.h +++ b/src/tls/openssl/tls.h @@ -27,6 +27,7 @@ struct tls_cert; void tls_flush_error(void); SSL_CTX *tls_ssl_ctx(const struct tls *tls); X509 *tls_cert_x509(struct tls_cert *hc); +SSL_CTX *tls_cert_ctx(struct tls_cert *hc); EVP_PKEY *tls_cert_pkey(struct tls_cert *hc); struct stack_st_X509 *tls_cert_chain(struct tls_cert *hc); @@ -34,7 +35,5 @@ const char *tls_cert_host(struct tls_cert *hc); const struct list *tls_certs(const struct tls *tls); struct tls_cert *tls_cert_for_sni(const struct tls *tls, const char *sni); -#if !defined(LIBRESSL_VERSION_NUMBER) int tls_verify_handler(int ok, X509_STORE_CTX *ctx); void tls_enable_sni(struct tls *tls); -#endif From 78ea67d28fda0e49d3a8228f15bc69b4de5d89f7 Mon Sep 17 00:00:00 2001 From: Sebastian Reimers Date: Mon, 3 Jun 2024 17:17:54 +0200 Subject: [PATCH 2/9] fix load verify locations --- src/tls/openssl/tls.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/src/tls/openssl/tls.c b/src/tls/openssl/tls.c index f1eaeea64..a0e45a3bc 100644 --- a/src/tls/openssl/tls.c +++ b/src/tls/openssl/tls.c @@ -49,6 +49,8 @@ struct tls { bool verify_client; /**< Enable SIP TLS client verification */ struct session_reuse reuse; struct list certs; /**< Certificates for SNI selection */ + char *capath; + char *cafile; }; /** @@ -127,6 +129,8 @@ static void destructor(void *data) hash_flush(tls->reuse.ht_sessions); mem_deref(tls->reuse.ht_sessions); mem_deref(tls->pass); + mem_deref(tls->capath); + mem_deref(tls->cafile); list_flush(&tls->certs); } @@ -378,6 +382,9 @@ int tls_add_cafile_path(struct tls *tls, const char *cafile, return ENOTDIR; } + str_dup(&tls->cafile, cafile); + str_dup(&tls->capath, capath); + /* Load the CAs we trust */ if (!(SSL_CTX_load_verify_locations(tls->ctx, cafile, capath))) { @@ -1996,6 +2003,13 @@ int tls_add_certf(struct tls *tls, const char *certf, const char *host) if (err) goto err; + /* Load the CAs we trust */ + if (!(SSL_CTX_load_verify_locations(uc->ctx, tls->cafile, + tls->capath))) { + err = ENOENT; + goto err; + } + list_append(&tls->certs, &uc->le, uc); if (list_count(&tls->certs) == 1) tls_enable_sni(tls); From 01576d91bbf53e340d537bbb345ab7606c59fc15 Mon Sep 17 00:00:00 2001 From: Sebastian Reimers Date: Mon, 3 Jun 2024 17:27:49 +0200 Subject: [PATCH 3/9] fix cleanup --- src/tls/openssl/tls.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/tls/openssl/tls.c b/src/tls/openssl/tls.c index a0e45a3bc..59b829f39 100644 --- a/src/tls/openssl/tls.c +++ b/src/tls/openssl/tls.c @@ -382,6 +382,9 @@ int tls_add_cafile_path(struct tls *tls, const char *cafile, return ENOTDIR; } + tls->cafile = mem_deref(tls->cafile); + tls->capath = mem_deref(tls->capath); + str_dup(&tls->cafile, cafile); str_dup(&tls->capath, capath); @@ -1967,6 +1970,8 @@ static void tls_cert_destructor(void *arg) struct tls_cert *uc = arg; mem_deref(uc->host); + if (uc->ctx) + SSL_CTX_free(uc->ctx); } From acaa2f3ab39e2fa5c20d5d372340ad897e964354 Mon Sep 17 00:00:00 2001 From: Sebastian Reimers Date: Mon, 3 Jun 2024 17:34:26 +0200 Subject: [PATCH 4/9] fix ctx uninitialized goto --- src/tls/openssl/tls.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/src/tls/openssl/tls.c b/src/tls/openssl/tls.c index 59b829f39..9cd7220b2 100644 --- a/src/tls/openssl/tls.c +++ b/src/tls/openssl/tls.c @@ -247,14 +247,12 @@ static int tls_ctx_alloc(SSL_CTX **ctxp, enum tls_method method, default: DEBUG_WARNING("tls method %d not supported\n", method); - err = ENOSYS; - goto out; + return ENOSYS; } if (!ctx) { ERR_clear_error(); - err = ENOMEM; - goto out; + return ENOMEM; } SSL_CTX_set_min_proto_version(ctx, min_proto); From a53cde09ba347e0b070ff9b3d9bb9fac5c138502 Mon Sep 17 00:00:00 2001 From: Sebastian Reimers Date: Mon, 3 Jun 2024 20:42:51 +0200 Subject: [PATCH 5/9] improve sni callback error handling --- src/tls/openssl/sni.c | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/src/tls/openssl/sni.c b/src/tls/openssl/sni.c index 5c32d4103..aa1a73d89 100644 --- a/src/tls/openssl/sni.c +++ b/src/tls/openssl/sni.c @@ -161,27 +161,32 @@ static int ssl_set_verify_client(SSL *ssl, const char *host) static int ssl_servername_handler(SSL *ssl, int *al, void *arg) { - struct tls *tls = arg; + struct tls *tls = arg; struct tls_cert *uc = NULL; const char *sni; - (void)al; sni = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name); if (!str_isset(sni)) - goto out; + goto err; /* find and apply matching certificate */ uc = tls_cert_for_sni(tls, sni); - if (!uc) - goto out; + if (!uc) { + *al = SSL_AD_UNRECOGNIZED_NAME; + return SSL_TLSEXT_ERR_ALERT_FATAL; + } DEBUG_INFO("found cert for sni %s\n", sni); - SSL_set_SSL_CTX(ssl, tls_cert_ctx(uc)); + if (SSL_set_SSL_CTX(ssl, tls_cert_ctx(uc)) == NULL) + goto err; (void)ssl_set_verify_client(ssl, tls_cert_host(uc)); -out: return SSL_TLSEXT_ERR_OK; + +err: + *al = SSL_AD_INTERNAL_ERROR; + return SSL_TLSEXT_ERR_ALERT_FATAL; } From 7e6d526f23c4be90a2564157f5077af3666c21d9 Mon Sep 17 00:00:00 2001 From: Sebastian Reimers Date: Mon, 3 Jun 2024 21:27:52 +0200 Subject: [PATCH 6/9] cleanup tls.h --- src/tls/openssl/tls.h | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/tls/openssl/tls.h b/src/tls/openssl/tls.h index c58eb5961..ac780f0ae 100644 --- a/src/tls/openssl/tls.h +++ b/src/tls/openssl/tls.h @@ -28,9 +28,7 @@ void tls_flush_error(void); SSL_CTX *tls_ssl_ctx(const struct tls *tls); X509 *tls_cert_x509(struct tls_cert *hc); SSL_CTX *tls_cert_ctx(struct tls_cert *hc); -EVP_PKEY *tls_cert_pkey(struct tls_cert *hc); -struct stack_st_X509 *tls_cert_chain(struct tls_cert *hc); const char *tls_cert_host(struct tls_cert *hc); const struct list *tls_certs(const struct tls *tls); From b1f3961447dfccdf6d2545d9f8966c796bebaf9f Mon Sep 17 00:00:00 2001 From: Sebastian Reimers Date: Wed, 5 Jun 2024 08:41:16 +0200 Subject: [PATCH 7/9] refactor cert_store verify --- src/tls/openssl/tls.c | 19 +++---------------- 1 file changed, 3 insertions(+), 16 deletions(-) diff --git a/src/tls/openssl/tls.c b/src/tls/openssl/tls.c index 9cd7220b2..0d28a5edf 100644 --- a/src/tls/openssl/tls.c +++ b/src/tls/openssl/tls.c @@ -49,8 +49,6 @@ struct tls { bool verify_client; /**< Enable SIP TLS client verification */ struct session_reuse reuse; struct list certs; /**< Certificates for SNI selection */ - char *capath; - char *cafile; }; /** @@ -129,8 +127,6 @@ static void destructor(void *data) hash_flush(tls->reuse.ht_sessions); mem_deref(tls->reuse.ht_sessions); mem_deref(tls->pass); - mem_deref(tls->capath); - mem_deref(tls->cafile); list_flush(&tls->certs); } @@ -380,12 +376,6 @@ int tls_add_cafile_path(struct tls *tls, const char *cafile, return ENOTDIR; } - tls->cafile = mem_deref(tls->cafile); - tls->capath = mem_deref(tls->capath); - - str_dup(&tls->cafile, cafile); - str_dup(&tls->capath, capath); - /* Load the CAs we trust */ if (!(SSL_CTX_load_verify_locations(tls->ctx, cafile, capath))) { @@ -2006,12 +1996,9 @@ int tls_add_certf(struct tls *tls, const char *certf, const char *host) if (err) goto err; - /* Load the CAs we trust */ - if (!(SSL_CTX_load_verify_locations(uc->ctx, tls->cafile, - tls->capath))) { - err = ENOENT; - goto err; - } + X509_STORE *ca = SSL_CTX_get_cert_store(tls->ctx); + X509_STORE_up_ref(ca); + SSL_CTX_set_cert_store(uc->ctx, ca); list_append(&tls->certs, &uc->le, uc); if (list_count(&tls->certs) == 1) From 325aaa4d24f222a66bb234eddb11d288371b724c Mon Sep 17 00:00:00 2001 From: Sebastian Reimers Date: Wed, 5 Jun 2024 08:44:40 +0200 Subject: [PATCH 8/9] check cert_store pointer --- src/tls/openssl/tls.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/tls/openssl/tls.c b/src/tls/openssl/tls.c index 0d28a5edf..b182b74ef 100644 --- a/src/tls/openssl/tls.c +++ b/src/tls/openssl/tls.c @@ -1997,8 +1997,10 @@ int tls_add_certf(struct tls *tls, const char *certf, const char *host) goto err; X509_STORE *ca = SSL_CTX_get_cert_store(tls->ctx); - X509_STORE_up_ref(ca); - SSL_CTX_set_cert_store(uc->ctx, ca); + if (ca) { + X509_STORE_up_ref(ca); + SSL_CTX_set_cert_store(uc->ctx, ca); + } list_append(&tls->certs, &uc->le, uc); if (list_count(&tls->certs) == 1) From 67630ebf0035111fe728696af8407df2f7faeb5b Mon Sep 17 00:00:00 2001 From: Sebastian Reimers Date: Wed, 5 Jun 2024 11:11:32 +0200 Subject: [PATCH 9/9] refactor goto error handling --- src/tls/openssl/sni.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/src/tls/openssl/sni.c b/src/tls/openssl/sni.c index aa1a73d89..8298e40fd 100644 --- a/src/tls/openssl/sni.c +++ b/src/tls/openssl/sni.c @@ -166,8 +166,10 @@ static int ssl_servername_handler(SSL *ssl, int *al, void *arg) const char *sni; sni = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name); - if (!str_isset(sni)) - goto err; + if (!str_isset(sni)) { + *al = SSL_AD_UNRECOGNIZED_NAME; + return SSL_TLSEXT_ERR_ALERT_FATAL; + } /* find and apply matching certificate */ uc = tls_cert_for_sni(tls, sni); @@ -177,16 +179,14 @@ static int ssl_servername_handler(SSL *ssl, int *al, void *arg) } DEBUG_INFO("found cert for sni %s\n", sni); - if (SSL_set_SSL_CTX(ssl, tls_cert_ctx(uc)) == NULL) - goto err; + if (SSL_set_SSL_CTX(ssl, tls_cert_ctx(uc)) == NULL) { + *al = SSL_AD_INTERNAL_ERROR; + return SSL_TLSEXT_ERR_ALERT_FATAL; + } (void)ssl_set_verify_client(ssl, tls_cert_host(uc)); return SSL_TLSEXT_ERR_OK; - -err: - *al = SSL_AD_INTERNAL_ERROR; - return SSL_TLSEXT_ERR_ALERT_FATAL; }