From: Matt Caswell <matt@openssl.org>
Date: Tue, 14 Mar 2017 17:27:46 +0000 (+0000)
Subject: SSL_get_peer_cert_chain() does not work after a resumption
X-Git-Tag: OpenSSL_1_1_1-pre1~2039
X-Git-Url: https://git.openssl.org/?p=openssl.git;a=commitdiff_plain;h=162e120711490cbd26f8608bf268a906c42e2027

SSL_get_peer_cert_chain() does not work after a resumption

After a resumption it is documented that SSL_get_peer_cert_chain() will
return NULL. In BoringSSL it still returns the chain. We don't support that
so we should update the shim to call SSL_get_peer_certificate() instead
when checking whether a peer certificate is available.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2942)
---

diff --git a/test/ossl_shim/ossl_shim.cc b/test/ossl_shim/ossl_shim.cc
index be589e36d1..9607e528d8 100644
--- a/test/ossl_shim/ossl_shim.cc
+++ b/test/ossl_shim/ossl_shim.cc
@@ -857,7 +857,7 @@ static bool CheckHandshakeProperties(SSL *ssl, bool is_resume) {
       return false;
     }
   } else if (!config->is_server || config->require_any_client_certificate) {
-    if (SSL_get_peer_cert_chain(ssl) == nullptr) {
+    if (SSL_get_peer_certificate(ssl) == nullptr) {
       fprintf(stderr, "Received no peer certificate but expected one.\n");
       return false;
     }