From 46864e8e115245d4a8ed9cd263276063c800ab95 Mon Sep 17 00:00:00 2001
From: beck <>
Date: Wed, 22 Jan 2020 11:26:47 +0000
Subject: Send alerts on certificate verification failures of server certs

ok tb@
---
 src/lib/libssl/tls13_client.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'src/lib/libssl')

diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c
index b42167a58a..3648d09b22 100644
--- a/src/lib/libssl/tls13_client.c
+++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_client.c,v 1.26 2020/01/22 05:06:23 tb Exp $ */
+/* $OpenBSD: tls13_client.c,v 1.27 2020/01/22 11:26:47 beck Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  *
@@ -535,7 +535,7 @@ tls13_server_certificate_recv(struct tls13_ctx *ctx)
 	 */
 	if (ssl_verify_cert_chain(s, certs) <= 0 &&
 	    s->verify_mode != SSL_VERIFY_NONE) {
-		/* XXX send alert */
+		ctx->alert = ssl_verify_alarm_type(s->verify_result);
 		tls13_set_errorx(ctx, TLS13_ERR_VERIFY_FAILED, 0,
 		    "failed to verify peer certificate", NULL);
 		goto err;
-- 
cgit v1.2.3-55-g6feb