Remove useless check for valid certificate

archigup · archigup · commit a1f93fcb2e84 · 2022-10-06T14:52:42.000-07:00
If certificate check fails, SSL_Connect will fail, thus the removed code will
not run. It would only runs when successful. That function is meant to check the
error code when there is a certificate validation issue.

SSL_get_verify_result is being used incorrectly here; it is intended to get
the validation error reason when SSL_Connect fails, and that failure is due to
an invalid certificate.
diff --git a/platform/posix/transport/src/openssl_posix.c b/platform/posix/transport/src/openssl_posix.c
@@ -285,19 +285,6 @@ static OpensslStatus_t tlsHandshake( const ServerInfo_t * pServerInfo,
         }
     }
 
-    /* Verify X509 certificate from peer. */
-    if( returnStatus == OPENSSL_SUCCESS )
-    {
-        verifyPeerCertStatus = ( int32_t ) SSL_get_verify_result( pOpensslParams->pSsl );
-
-        if( verifyPeerCertStatus != X509_V_OK )
-        {
-            LogError( ( "SSL_get_verify_result failed to verify X509 "
-                        "certificate from peer." ) );
-            returnStatus = OPENSSL_HANDSHAKE_FAILED;
-        }
-    }
-
     return returnStatus;
 }
 

Original file line number	Diff line number	Diff line change
`@@ -285,19 +285,6 @@ static OpensslStatus_t tlsHandshake( const ServerInfo_t * pServerInfo,`
`285`	`285`	`}`
`286`	`286`	`}`
`287`	`287`
`288`		`- /* Verify X509 certificate from peer. */`
`289`		`- if( returnStatus == OPENSSL_SUCCESS )`
`290`		`- {`
`291`		`- verifyPeerCertStatus = ( int32_t ) SSL_get_verify_result( pOpensslParams->pSsl );`
`292`		`-`
`293`		`- if( verifyPeerCertStatus != X509_V_OK )`
`294`		`- {`
`295`		`- LogError( ( "SSL_get_verify_result failed to verify X509 "`
`296`		`- "certificate from peer." ) );`
`297`		`- returnStatus = OPENSSL_HANDSHAKE_FAILED;`
`298`		`- }`
`299`		`- }`
`300`		`-`
`301`	`288`	`return returnStatus;`
`302`	`289`	`}`
`303`	`290`