Bug: default_verify_param are inverted in SSL::Context::Client and SS…

…L::Context::Server Fixes crystal-lang#5266 x509 certificates have a purpose associated to them. Clients should verify that the server's certificate is intended to be used in a server, and servers should check the client's certificate is intended to be used for clients. Crystal was mistakingly checking those mixed up. See https://wiki.openssl.org/index.php?title=Manual:X509(1)&oldid=1797#CERTIFICATE_EXTENSIONS See https://tools.ietf.org/html/rfc5280#section-4.2.1.3
chris-huxtable · Jan 25, 2018 · 558a32a · 558a32a
1 parent 7f05801
commit 558a32a
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/src/openssl/ssl/context.cr b/src/openssl/ssl/context.cr
@@ -77,7 +77,7 @@ abstract class OpenSSL::SSL::Context
 
       self.verify_mode = OpenSSL::SSL::VerifyMode::PEER
       {% if LibSSL::OPENSSL_102 %}
-      self.default_verify_param = "ssl_client"
+      self.default_verify_param = "ssl_server"
       {% end %}
     end
 
@@ -130,7 +130,7 @@ abstract class OpenSSL::SSL::Context
 
       add_options(OpenSSL::SSL::Options::CIPHER_SERVER_PREFERENCE)
       {% if LibSSL::OPENSSL_102 %}
-      self.default_verify_param = "ssl_server"
+      self.default_verify_param = "ssl_client"
       {% end %}
     end