Commit 3bf2aba5f5 for openssl.org
commit 3bf2aba5f5e2e602b7b72b71d91e3befb08e9e94
Author: Tomas Mraz <tomas@openssl.foundation>
Date: Tue Jul 7 12:32:13 2026 +0200
Document the effect of SSL_VERIFY_FAIL_IF_NO_PEER_CERT on post-handshake auth
Reviewed-by: Matt Caswell <matt@openssl.foundation>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Fri Jul 10 15:45:39 2026
(Merged from https://github.com/openssl/openssl/pull/31876)
diff --git a/doc/man3/SSL_CTX_set_verify.pod b/doc/man3/SSL_CTX_set_verify.pod
index 58774796cd..1a9ef7d83e 100644
--- a/doc/man3/SSL_CTX_set_verify.pod
+++ b/doc/man3/SSL_CTX_set_verify.pod
@@ -74,7 +74,9 @@ SSL_CTX_set_client_cert_cb() if no certificate is provided at initialization.
SSL_verify_client_post_handshake() causes a CertificateRequest message to be
sent by a server on the given B<ssl> connection. The SSL_VERIFY_PEER flag must
-be set; the SSL_VERIFY_POST_HANDSHAKE flag is optional.
+be set; the SSL_VERIFY_POST_HANDSHAKE flag is optional. The
+SSL_VERIFY_FAIL_IF_NO_PEER_CERT flag is also applicable and has the same
+effect as with the client authentication during the handshake.
=head1 NOTES