diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 833246141..ba6d47d3c 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -6139,7 +6139,7 @@ static int ssl_srv_check_client_no_crt_notification( mbedtls_ssl_context *ssl ) ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE && memcmp( ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ), "\0\0\0", 3 ) == 0 ) { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) ); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer has no certificate" ) ); return( 0 ); } return( -1 ); diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index b498fd490..ead0db835 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -1532,9 +1532,12 @@ static int ssl_tls13_certificate_request_coordinate( mbedtls_ssl_context *ssl ) if( ( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE ) && ( ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST ) ) { + MBEDTLS_SSL_DEBUG_MSG( 3, ( "got a certificate request" ) ); return( SSL_CERTIFICATE_REQUEST_EXPECT_REQUEST ); } + MBEDTLS_SSL_DEBUG_MSG( 3, ( "got no certificate request" ) ); + return( SSL_CERTIFICATE_REQUEST_SKIP ); } @@ -1687,7 +1690,6 @@ static int ssl_tls13_process_certificate_request( mbedtls_ssl_context *ssl ) } else if( ret == SSL_CERTIFICATE_REQUEST_SKIP ) { - MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip tls13 parse certificate request" ) ); ret = 0; } else @@ -1697,9 +1699,6 @@ static int ssl_tls13_process_certificate_request( mbedtls_ssl_context *ssl ) goto cleanup; } - MBEDTLS_SSL_DEBUG_MSG( 3, ( "got %s certificate request", - ssl->handshake->client_auth ? "a" : "no" ) ); - mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_CERTIFICATE ); cleanup: @@ -1803,7 +1802,10 @@ static int ssl_tls13_write_client_certificate( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY ); } else + { + MBEDTLS_SSL_DEBUG_MSG( 2, ( "skip write certificate verify" ) ); mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_FINISHED ); + } return( 0 ); } diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index f508bcad3..acd227def 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -567,7 +567,7 @@ static int ssl_tls13_validate_certificate( mbedtls_ssl_context *ssl ) */ if( ssl->session_negotiate->peer_cert == NULL ) { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer has not sent a certificate" ) ); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer has no certificate" ) ); #if defined(MBEDTLS_SSL_SRV_C) if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 5be338d3f..c85ecb5cf 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -1611,7 +1611,11 @@ static int ssl_tls13_write_server_finished( mbedtls_ssl_context *ssl ) mbedtls_ssl_set_inbound_transform( ssl, ssl->handshake->transform_handshake ); } else + { + MBEDTLS_SSL_DEBUG_MSG( 2, ( "skip parse certificate" ) ); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "skip parse certificate verify" ) ); mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_FINISHED ); + } return( 0 ); } @@ -1741,8 +1745,11 @@ int mbedtls_ssl_tls13_handshake_server_step( mbedtls_ssl_context *ssl ) ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY ); } else + { + MBEDTLS_SSL_DEBUG_MSG( 2, ( "skip parse certificate verify" ) ); mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_FINISHED ); + } } break; diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index be66385aa..d3e8ddfdd 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -4864,7 +4864,7 @@ run_test "Authentication: client has no cert, server required (TLS)" \ -c "= write certificate$" \ -C "skip write certificate$" \ -S "x509_verify_cert() returned" \ - -s "client has no certificate" \ + -s "peer has no certificate" \ -s "! mbedtls_ssl_handshake returned" \ -c "! mbedtls_ssl_handshake returned" \ -s "No client certification received from the client, but required by the authentication mode"