diff --git a/handler/src/main/java/io/netty/handler/ssl/OpenSslEngine.java b/handler/src/main/java/io/netty/handler/ssl/OpenSslEngine.java index 6ace01a8f5..9ff8039747 100644 --- a/handler/src/main/java/io/netty/handler/ssl/OpenSslEngine.java +++ b/handler/src/main/java/io/netty/handler/ssl/OpenSslEngine.java @@ -1528,7 +1528,7 @@ public final class OpenSslEngine extends SSLEngine { @Override public Certificate[] getPeerCertificates() throws SSLPeerUnverifiedException { synchronized (OpenSslEngine.this) { - if (peerCerts == null) { + if (peerCerts == null || peerCerts.length == 0) { throw new SSLPeerUnverifiedException("peer not verified"); } return peerCerts; @@ -1544,7 +1544,7 @@ public final class OpenSslEngine extends SSLEngine { @Override public X509Certificate[] getPeerCertificateChain() throws SSLPeerUnverifiedException { synchronized (OpenSslEngine.this) { - if (x509PeerCerts == null) { + if (x509PeerCerts == null || x509PeerCerts.length == 0) { throw new SSLPeerUnverifiedException("peer not verified"); } return x509PeerCerts; @@ -1554,9 +1554,8 @@ public final class OpenSslEngine extends SSLEngine { @Override public Principal getPeerPrincipal() throws SSLPeerUnverifiedException { Certificate[] peer = getPeerCertificates(); - if (peer == null || peer.length == 0) { - return null; - } + // No need for null or length > 0 is needed as this is done in getPeerCertificates() + // already. return ((java.security.cert.X509Certificate) peer[0]).getSubjectX500Principal(); } diff --git a/testsuite/src/main/java/io/netty/testsuite/transport/socket/SocketSslGreetingTest.java b/testsuite/src/main/java/io/netty/testsuite/transport/socket/SocketSslGreetingTest.java index 8ab587bdbc..6eed0bc15e 100644 --- a/testsuite/src/main/java/io/netty/testsuite/transport/socket/SocketSslGreetingTest.java +++ b/testsuite/src/main/java/io/netty/testsuite/transport/socket/SocketSslGreetingTest.java @@ -29,6 +29,8 @@ import io.netty.handler.logging.LoggingHandler; import io.netty.handler.ssl.OpenSsl; import io.netty.handler.ssl.SslContext; import io.netty.handler.ssl.SslContextBuilder; +import io.netty.handler.ssl.SslHandler; +import io.netty.handler.ssl.SslHandshakeCompletionEvent; import io.netty.handler.ssl.SslProvider; import io.netty.handler.ssl.util.SelfSignedCertificate; import io.netty.util.ReferenceCountUtil; @@ -39,6 +41,8 @@ import org.junit.runner.RunWith; import org.junit.runners.Parameterized; import org.junit.runners.Parameterized.Parameters; +import javax.net.ssl.SSLPeerUnverifiedException; +import javax.net.ssl.SSLSession; import java.io.File; import java.io.IOException; import java.security.cert.CertificateException; @@ -209,5 +213,34 @@ public class SocketSslGreetingTest extends AbstractSocketTest { exception.compareAndSet(null, cause); ctx.close(); } + + @Override + public void userEventTriggered(final ChannelHandlerContext ctx, final Object evt) throws Exception { + if (evt instanceof SslHandshakeCompletionEvent) { + final SslHandshakeCompletionEvent event = (SslHandshakeCompletionEvent) evt; + if (event.isSuccess()) { + SSLSession session = ctx.pipeline().get(SslHandler.class).engine().getSession(); + try { + session.getPeerCertificates(); + fail(); + } catch (SSLPeerUnverifiedException e) { + // expected + } + try { + session.getPeerCertificateChain(); + fail(); + } catch (SSLPeerUnverifiedException e) { + // expected + } + try { + session.getPeerPrincipal(); + fail(); + } catch (SSLPeerUnverifiedException e) { + // expected + } + } + } + ctx.fireUserEventTriggered(evt); + } } }