Commit e5f01903ed for openssl.org

commit e5f01903ed7c2872ab06c0a489c78e3224cbe213
Author: Ryan Hooper <ryhooper@cisco.com>
Date:   Thu Aug 28 14:58:02 2025 -0400

    Enable peer verification with s_server's verify_return_error option

    If the option is specified it will now implicitly enable peer verification.

    The s_client command  was already behaved this way, so
    s_server was updated to match the behavior of s_client.

    Fixes #15134

    Reviewed-by: Matt Caswell <matt@openssl.org>
    Reviewed-by: Tomas Mraz <tomas@openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/28445)

diff --git a/CHANGES.md b/CHANGES.md
index 7b7222bb1a..6aab4733e1 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -41,6 +41,11 @@ OpenSSL 4.0

    *Igor Ustinov*

+ * Enabled Server verification by default in `s_server` when option
+   verify_return_error is enabled.
+
+   *Ryan Hooper*
+
 OpenSSL 3.6
 -----------

diff --git a/apps/s_server.c b/apps/s_server.c
index 3edb53d00a..94f225f442 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -1568,6 +1568,7 @@ int s_server_main(int argc, char *argv[])
                 goto end;
             break;
         case OPT_VERIFY_RET_ERROR:
+            s_server_verify = SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE;
             verify_args.return_error = 1;
             break;
         case OPT_VERIFY_QUIET: