Merge pull request #10442 from davidhorstmann-arm/verify-result-default-failure

Hardening: Make `mbedtls_ssl_get_verify_result()` default to failure
2026-03-20 11:11:08 +01:00 · 2026-03-17 10:36:38 +00:00
parent d7f2a4cdc6 937c70ac90
commit cb0b594a9d
8 changed files with 182 additions and 45 deletions
--- a/ChangeLog.d/verify-result-default-value.txt
+++ b/ChangeLog.d/verify-result-default-value.txt
@@ -0,0 +1,5 @@
+Changes
+   * Harden mbedtls_ssl_get_verify_result() against misuse.
+     If the handshake has not yet been attempted, return -1u to indicate
+     that the result is not available. Previously the result of verification
+     was zero-initialized so the function would return 0 (indicating success).
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -962,6 +962,8 @@ void mbedtls_ssl_transform_init(mbedtls_ssl_transform *transform)
 void mbedtls_ssl_session_init(mbedtls_ssl_session *session)
 {
    memset(session, 0, sizeof(mbedtls_ssl_session));
+    /* Set verify_result to -1u to indicate 'result not available'. */
+    session->verify_result = 0xFFFFFFFF;
 }

 MBEDTLS_CHECK_RETURN_CRITICAL
@@ -4570,6 +4572,9 @@ void mbedtls_ssl_session_free(mbedtls_ssl_session *session)
 #endif

    mbedtls_platform_zeroize(session, sizeof(mbedtls_ssl_session));
+
+    /* Set verify_result to -1u to indicate 'result not available'. */
+    session->verify_result = 0xFFFFFFFF;
 }

 #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
@@ -6977,6 +6982,7 @@ static int ssl_parse_certificate_coordinate(mbedtls_ssl_context *ssl,
        ssl->handshake->ciphersuite_info;

    if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) {
+        ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_SKIP_VERIFY;
        return SSL_CERTIFICATE_SKIP;
    }

@@ -8692,6 +8698,7 @@ int mbedtls_ssl_verify_certificate(mbedtls_ssl_context *ssl,
                                   void *rs_ctx)
 {
    if (authmode == MBEDTLS_SSL_VERIFY_NONE) {
+        ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_SKIP_VERIFY;
        return 0;
    }

--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@@ -2264,6 +2264,9 @@ static int ssl_tls13_process_encrypted_extensions(mbedtls_ssl_context *ssl)
 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
    if (mbedtls_ssl_tls13_key_exchange_mode_with_psk(ssl)) {
        mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED);
+
+        /* Since we're not using a certificate, set verify_result to skipped */
+        ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_SKIP_VERIFY;
    } else {
        mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CERTIFICATE_REQUEST);
    }
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@@ -2616,6 +2616,9 @@ static int ssl_tls13_write_encrypted_extensions(mbedtls_ssl_context *ssl)
 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
    if (mbedtls_ssl_tls13_key_exchange_mode_with_psk(ssl)) {
        mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED);
+
+        /* Since we're not using a certificate, set verify_result to skipped */
+        ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_SKIP_VERIFY;
    } else {
        mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CERTIFICATE_REQUEST);
    }
--- a/tests/opt-testcases/tls13-kex-modes.sh
+++ b/tests/opt-testcases/tls13-kex-modes.sh
@@ -482,7 +482,8 @@ run_test    "TLS 1.3: G->m: ephemeral_all/ephemeral_all, good" \
            -S "No usable PSK or ticket" \
            -S "key exchange mode: psk$"  \
            -s "key exchange mode: psk_ephemeral"  \
-            -S "key exchange mode: ephemeral"
+            -S "key exchange mode: ephemeral" \
+            -s "! Certificate verification was skipped"

 requires_gnutls_tls1_3
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -503,7 +504,8 @@ run_test    "TLS 1.3: G->m: ephemeral_all/ephemeral_all, good, key id mismatch,
            -s "No usable PSK or ticket" \
            -S "key exchange mode: psk$"  \
            -S "key exchange mode: psk_ephemeral"  \
-            -s "key exchange mode: ephemeral"
+            -s "key exchange mode: ephemeral" \
+            -s "! Certificate verification was skipped"

 requires_gnutls_tls1_3
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -546,7 +548,8 @@ run_test    "TLS 1.3: G->m: all/ephemeral_all, good" \
            -S "No usable PSK or ticket" \
            -S "key exchange mode: psk$"  \
            -s "key exchange mode: psk_ephemeral"  \
-            -S "key exchange mode: ephemeral"
+            -S "key exchange mode: ephemeral" \
+            -s "! Certificate verification was skipped"

 requires_gnutls_tls1_3
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -567,7 +570,8 @@ run_test    "TLS 1.3: G->m: all/ephemeral_all, good, key id mismatch, dhe." \
            -s "No usable PSK or ticket" \
            -S "key exchange mode: psk$"  \
            -S "key exchange mode: psk_ephemeral"  \
-            -s "key exchange mode: ephemeral"
+            -s "key exchange mode: ephemeral" \
+            -s "! Certificate verification was skipped"

 requires_gnutls_tls1_3
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -611,7 +615,8 @@ run_test    "TLS 1.3: G->m: psk_or_ephemeral/ephemeral_all, good" \
            -s "No usable PSK or ticket" \
            -S "key exchange mode: psk$"  \
            -S "key exchange mode: psk_ephemeral"  \
-            -s "key exchange mode: ephemeral"
+            -s "key exchange mode: ephemeral" \
+            -s "! Certificate verification was skipped"

 requires_gnutls_tls1_3
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -634,7 +639,8 @@ run_test    "TLS 1.3: G->m: ephemeral_all/all, good" \
            -S "No usable PSK or ticket" \
            -S "key exchange mode: psk$"  \
            -s "key exchange mode: psk_ephemeral"  \
-            -S "key exchange mode: ephemeral"
+            -S "key exchange mode: ephemeral" \
+            -s "! Certificate verification was skipped"

 requires_gnutls_tls1_3
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -656,7 +662,8 @@ run_test    "TLS 1.3: G->m: ephemeral_all/all, good, key id mismatch, dhe." \
            -s "No usable PSK or ticket" \
            -S "key exchange mode: psk$"  \
            -S "key exchange mode: psk_ephemeral"  \
-            -s "key exchange mode: ephemeral"
+            -s "key exchange mode: ephemeral" \
+            -s "! Certificate verification was skipped"

 requires_gnutls_tls1_3
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -701,7 +708,8 @@ run_test    "TLS 1.3: G->m: all/all, good" \
            -S "No usable PSK or ticket" \
            -S "key exchange mode: psk$"  \
            -s "key exchange mode: psk_ephemeral"  \
-            -S "key exchange mode: ephemeral"
+            -S "key exchange mode: ephemeral" \
+            -s "! Certificate verification was skipped"

 requires_gnutls_tls1_3
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -723,7 +731,8 @@ run_test    "TLS 1.3: G->m: all/all, good, key id mismatch, dhe." \
            -s "No usable PSK or ticket" \
            -S "key exchange mode: psk$"  \
            -S "key exchange mode: psk_ephemeral"  \
-            -s "key exchange mode: ephemeral"
+            -s "key exchange mode: ephemeral" \
+            -s "! Certificate verification was skipped"

 requires_gnutls_tls1_3
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -768,7 +777,8 @@ run_test    "TLS 1.3: G->m: psk_or_ephemeral/all, good" \
            -S "No usable PSK or ticket" \
            -S "key exchange mode: psk$"  \
            -S "key exchange mode: psk_ephemeral"  \
-            -s "key exchange mode: ephemeral"
+            -s "key exchange mode: ephemeral" \
+            -s "! Certificate verification was skipped"

 requires_gnutls_tls1_3
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -813,7 +823,8 @@ run_test    "TLS 1.3: G->m: ephemeral_all/psk_or_ephemeral, good" \
            -s "No usable PSK or ticket" \
            -S "key exchange mode: psk$"  \
            -S "key exchange mode: psk_ephemeral"  \
-            -s "key exchange mode: ephemeral"
+            -s "key exchange mode: ephemeral" \
+            -s "! Certificate verification was skipped"

 requires_gnutls_tls1_3
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -835,7 +846,8 @@ run_test    "TLS 1.3: G->m: all/psk_or_ephemeral, good" \
            -S "No usable PSK or ticket" \
            -S "key exchange mode: psk$"  \
            -S "key exchange mode: psk_ephemeral"  \
-            -s "key exchange mode: ephemeral"
+            -s "key exchange mode: ephemeral" \
+            -s "! Certificate verification was skipped"

 requires_gnutls_tls1_3
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -878,7 +890,8 @@ run_test    "TLS 1.3: G->m: psk_or_ephemeral/psk_or_ephemeral, good" \
            -S "No usable PSK or ticket" \
            -S "key exchange mode: psk$"  \
            -S "key exchange mode: psk_ephemeral"  \
-            -s "key exchange mode: ephemeral"
+            -s "key exchange mode: ephemeral" \
+            -s "! Certificate verification was skipped"

 requires_gnutls_tls1_3
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -1319,7 +1332,8 @@ run_test    "TLS 1.3: O->m: ephemeral_all/ephemeral_all, good" \
            -S "No usable PSK or ticket" \
            -S "key exchange mode: psk$"  \
            -s "key exchange mode: psk_ephemeral"  \
-            -S "key exchange mode: ephemeral"
+            -S "key exchange mode: ephemeral" \
+            -s "! Certificate verification was skipped"

 requires_openssl_tls1_3_with_compatible_ephemeral
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -1339,7 +1353,8 @@ run_test    "TLS 1.3: O->m: ephemeral_all/ephemeral_all, good, key id mismatch,
            -s "No usable PSK or ticket" \
            -S "key exchange mode: psk$"  \
            -S "key exchange mode: psk_ephemeral"  \
-            -s "key exchange mode: ephemeral"
+            -s "key exchange mode: ephemeral" \
+            -s "! Certificate verification was skipped"

 requires_openssl_tls1_3_with_compatible_ephemeral
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -1380,7 +1395,8 @@ run_test    "TLS 1.3: O->m: all/ephemeral_all, good" \
            -S "No usable PSK or ticket" \
            -S "key exchange mode: psk$"  \
            -s "key exchange mode: psk_ephemeral"  \
-            -S "key exchange mode: ephemeral"
+            -S "key exchange mode: ephemeral" \
+            -s "! Certificate verification was skipped"

 requires_openssl_tls1_3_with_compatible_ephemeral
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -1400,7 +1416,8 @@ run_test    "TLS 1.3: O->m: all/ephemeral_all, good, key id mismatch, dhe." \
            -s "No usable PSK or ticket" \
            -S "key exchange mode: psk$"  \
            -S "key exchange mode: psk_ephemeral"  \
-            -s "key exchange mode: ephemeral"
+            -s "key exchange mode: ephemeral" \
+            -s "! Certificate verification was skipped"

 requires_openssl_tls1_3_with_compatible_ephemeral
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -1442,7 +1459,8 @@ run_test    "TLS 1.3: O->m: ephemeral_all/all, good" \
            -S "No usable PSK or ticket" \
            -S "key exchange mode: psk$"  \
            -s "key exchange mode: psk_ephemeral"  \
-            -S "key exchange mode: ephemeral"
+            -S "key exchange mode: ephemeral" \
+            -s "! Certificate verification was skipped"

 requires_openssl_tls1_3_with_compatible_ephemeral
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -1463,7 +1481,8 @@ run_test    "TLS 1.3: O->m: ephemeral_all/all, good, key id mismatch, dhe." \
            -s "No usable PSK or ticket" \
            -S "key exchange mode: psk$"  \
            -S "key exchange mode: psk_ephemeral"  \
-            -s "key exchange mode: ephemeral"
+            -s "key exchange mode: ephemeral" \
+            -s "! Certificate verification was skipped"

 requires_openssl_tls1_3_with_compatible_ephemeral
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -1506,7 +1525,8 @@ run_test    "TLS 1.3: O->m: all/all, good" \
            -S "No usable PSK or ticket" \
            -S "key exchange mode: psk$"  \
            -s "key exchange mode: psk_ephemeral"  \
-            -S "key exchange mode: ephemeral"
+            -S "key exchange mode: ephemeral" \
+            -s "! Certificate verification was skipped"

 requires_openssl_tls1_3_with_compatible_ephemeral
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -1527,7 +1547,8 @@ run_test    "TLS 1.3: O->m: all/all, good, key id mismatch, dhe." \
            -s "No usable PSK or ticket" \
            -S "key exchange mode: psk$"  \
            -S "key exchange mode: psk_ephemeral"  \
-            -s "key exchange mode: ephemeral"
+            -s "key exchange mode: ephemeral" \
+            -s "! Certificate verification was skipped"

 requires_openssl_tls1_3_with_compatible_ephemeral
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -1570,7 +1591,8 @@ run_test    "TLS 1.3: O->m: ephemeral_all/psk_or_ephemeral, good" \
            -s "No usable PSK or ticket" \
            -S "key exchange mode: psk$"  \
            -S "key exchange mode: psk_ephemeral"  \
-            -s "key exchange mode: ephemeral"
+            -s "key exchange mode: ephemeral" \
+            -s "! Certificate verification was skipped"

 requires_openssl_tls1_3_with_compatible_ephemeral
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -1591,7 +1613,8 @@ run_test    "TLS 1.3: O->m: all/psk_or_ephemeral, good" \
            -S "No usable PSK or ticket" \
            -S "key exchange mode: psk$"  \
            -S "key exchange mode: psk_ephemeral"  \
-            -s "key exchange mode: ephemeral"
+            -s "key exchange mode: ephemeral" \
+            -s "! Certificate verification was skipped"

 requires_openssl_tls1_3_with_compatible_ephemeral
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -1880,7 +1903,9 @@ run_test    "TLS 1.3: m->m: psk/all, good" \
            -c "client hello, adding psk_key_exchange_modes extension" \
            -c "client hello, adding PSK binder list" \
            -c "Selected key exchange mode: psk$" \
-            -c "HTTP/1.0 200 OK"
+            -c "HTTP/1.0 200 OK" \
+            -c "! Certificate verification was skipped" \
+            -s "! Certificate verification was skipped"

 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_config_enabled MBEDTLS_SSL_SRV_C
@@ -1995,7 +2020,9 @@ run_test    "TLS 1.3: m->m: psk_ephemeral/ephemeral_all, good" \
            -c "client hello, adding psk_key_exchange_modes extension" \
            -c "client hello, adding PSK binder list" \
            -c "Selected key exchange mode: psk_ephemeral" \
-            -c "HTTP/1.0 200 OK"
+            -c "HTTP/1.0 200 OK" \
+            -c "! Certificate verification was skipped" \
+            -s "! Certificate verification was skipped"

 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_config_enabled MBEDTLS_SSL_SRV_C
@@ -2083,7 +2110,9 @@ run_test    "TLS 1.3: m->m: psk_ephemeral/all, good" \
            -c "client hello, adding psk_key_exchange_modes extension" \
            -c "client hello, adding PSK binder list" \
            -c "Selected key exchange mode: psk_ephemeral" \
-            -c "HTTP/1.0 200 OK"
+            -c "HTTP/1.0 200 OK" \
+            -c "! Certificate verification was skipped" \
+            -s "! Certificate verification was skipped"

 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_config_enabled MBEDTLS_SSL_SRV_C
@@ -2215,7 +2244,9 @@ run_test    "TLS 1.3: m->m: ephemeral_all/psk_ephemeral, good" \
            -c "client hello, adding psk_key_exchange_modes extension" \
            -c "client hello, adding PSK binder list" \
            -c "Selected key exchange mode: psk_ephemeral" \
-            -c "HTTP/1.0 200 OK"
+            -c "HTTP/1.0 200 OK" \
+            -c "! Certificate verification was skipped" \
+            -s "! Certificate verification was skipped"

 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_config_enabled MBEDTLS_SSL_SRV_C
@@ -2274,7 +2305,9 @@ run_test    "TLS 1.3: m->m: ephemeral_all/ephemeral_all, good" \
            -c "client hello, adding psk_key_exchange_modes extension" \
            -c "client hello, adding PSK binder list" \
            -c "Selected key exchange mode: psk_ephemeral" \
-            -c "HTTP/1.0 200 OK"
+            -c "HTTP/1.0 200 OK" \
+            -c "! Certificate verification was skipped" \
+            -s "! Certificate verification was skipped"

 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_config_enabled MBEDTLS_SSL_SRV_C
@@ -2319,7 +2352,9 @@ run_test    "TLS 1.3: m->m: ephemeral_all/psk_all, good" \
            -c "client hello, adding psk_key_exchange_modes extension" \
            -c "client hello, adding PSK binder list" \
            -c "Selected key exchange mode: psk_ephemeral" \
-            -c "HTTP/1.0 200 OK"
+            -c "HTTP/1.0 200 OK" \
+            -c "! Certificate verification was skipped" \
+            -s "! Certificate verification was skipped"

 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_config_enabled MBEDTLS_SSL_SRV_C
@@ -2366,7 +2401,9 @@ run_test    "TLS 1.3: m->m: ephemeral_all/all, good" \
            -c "client hello, adding psk_key_exchange_modes extension" \
            -c "client hello, adding PSK binder list" \
            -c "Selected key exchange mode: psk_ephemeral" \
-            -c "HTTP/1.0 200 OK"
+            -c "HTTP/1.0 200 OK" \
+            -c "! Certificate verification was skipped" \
+            -s "! Certificate verification was skipped"

 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_config_enabled MBEDTLS_SSL_SRV_C
@@ -2515,7 +2552,9 @@ run_test    "TLS 1.3: m->m: psk_all/ephemeral_all, good" \
            -c "client hello, adding psk_key_exchange_modes extension" \
            -c "client hello, adding PSK binder list" \
            -c "Selected key exchange mode: psk_ephemeral" \
-            -c "HTTP/1.0 200 OK"
+            -c "HTTP/1.0 200 OK" \
+            -c "! Certificate verification was skipped" \
+            -s "! Certificate verification was skipped"

 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_config_enabled MBEDTLS_SSL_SRV_C
@@ -2605,7 +2644,9 @@ run_test    "TLS 1.3: m->m: psk_all/all, good" \
            -c "client hello, adding psk_key_exchange_modes extension" \
            -c "client hello, adding PSK binder list" \
            -c "Selected key exchange mode: psk_ephemeral" \
-            -c "HTTP/1.0 200 OK"
+            -c "HTTP/1.0 200 OK" \
+            -c "! Certificate verification was skipped" \
+            -s "! Certificate verification was skipped"

 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_config_enabled MBEDTLS_SSL_SRV_C
@@ -2652,7 +2693,9 @@ run_test    "TLS 1.3: m->m: all/psk, good" \
            -c "client hello, adding psk_key_exchange_modes extension" \
            -c "client hello, adding PSK binder list" \
            -c "Selected key exchange mode: psk$" \
-            -c "HTTP/1.0 200 OK"
+            -c "HTTP/1.0 200 OK" \
+            -c "! Certificate verification was skipped" \
+            -s "! Certificate verification was skipped"

 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_config_enabled MBEDTLS_SSL_SRV_C
@@ -2699,7 +2742,9 @@ run_test    "TLS 1.3: m->m: all/psk_ephemeral, good" \
            -c "client hello, adding psk_key_exchange_modes extension" \
            -c "client hello, adding PSK binder list" \
            -c "Selected key exchange mode: psk_ephemeral" \
-            -c "HTTP/1.0 200 OK"
+            -c "HTTP/1.0 200 OK" \
+            -c "! Certificate verification was skipped" \
+            -s "! Certificate verification was skipped"

 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_config_enabled MBEDTLS_SSL_SRV_C
@@ -2762,7 +2807,9 @@ run_test    "TLS 1.3: m->m: all/ephemeral_all, good" \
            -c "client hello, adding psk_key_exchange_modes extension" \
            -c "client hello, adding PSK binder list" \
            -c "Selected key exchange mode: psk_ephemeral" \
-            -c "HTTP/1.0 200 OK"
+            -c "HTTP/1.0 200 OK" \
+            -c "! Certificate verification was skipped" \
+            -s "! Certificate verification was skipped"

 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_config_enabled MBEDTLS_SSL_SRV_C
@@ -2810,7 +2857,9 @@ run_test    "TLS 1.3: m->m: all/psk_all, good" \
            -c "client hello, adding psk_key_exchange_modes extension" \
            -c "client hello, adding PSK binder list" \
            -c "Selected key exchange mode: psk_ephemeral" \
-            -c "HTTP/1.0 200 OK"
+            -c "HTTP/1.0 200 OK" \
+            -c "! Certificate verification was skipped" \
+            -s "! Certificate verification was skipped"

 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_config_enabled MBEDTLS_SSL_SRV_C
@@ -2857,7 +2906,9 @@ run_test    "TLS 1.3: m->m: all/all, good" \
            -c "client hello, adding psk_key_exchange_modes extension" \
            -c "client hello, adding PSK binder list" \
            -c "Selected key exchange mode: psk_ephemeral" \
-            -c "HTTP/1.0 200 OK"
+            -c "HTTP/1.0 200 OK" \
+            -c "! Certificate verification was skipped" \
+            -s "! Certificate verification was skipped"

 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_config_enabled MBEDTLS_SSL_SRV_C
@@ -3038,7 +3089,8 @@ run_test    "TLS 1.3: m->O: ephemeral_all/all, good" \
            -c "client hello, adding PSK binder list" \
            -c "Selected key exchange mode: psk_ephemeral" \
            -c "<= write client hello" \
-            -c "HTTP/1.0 200 ok"
+            -c "HTTP/1.0 200 ok" \
+            -c "! Certificate verification was skipped"

 requires_openssl_tls1_3_with_compatible_ephemeral
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -3056,7 +3108,8 @@ run_test    "TLS 1.3: m->O: ephemeral_all/ephemeral_all, good" \
            -c "client hello, adding PSK binder list" \
            -c "Selected key exchange mode: psk_ephemeral" \
            -c "<= write client hello" \
-            -c "HTTP/1.0 200 ok"
+            -c "HTTP/1.0 200 ok" \
+            -c "! Certificate verification was skipped"

 #OPENSSL-SERVER all mode
 requires_openssl_tls1_3_with_compatible_ephemeral
@@ -3076,7 +3129,8 @@ run_test    "TLS 1.3: m->O: all/all, good" \
            -c "client hello, adding PSK binder list" \
            -c "Selected key exchange mode: psk_ephemeral" \
            -c "<= write client hello" \
-            -c "HTTP/1.0 200 ok"
+            -c "HTTP/1.0 200 ok" \
+            -c "! Certificate verification was skipped"

 requires_openssl_tls1_3_with_compatible_ephemeral
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -3095,7 +3149,8 @@ run_test    "TLS 1.3: m->O: all/ephemeral_all, good" \
            -c "client hello, adding PSK binder list" \
            -c "Selected key exchange mode: psk_ephemeral" \
            -c "<= write client hello" \
-            -c "HTTP/1.0 200 ok"
+            -c "HTTP/1.0 200 ok" \
+            -c "! Certificate verification was skipped"

 #GNUTLS-SERVER psk mode
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -3259,7 +3314,8 @@ run_test    "TLS 1.3: m->G: ephemeral_all/all, good" \
            -s "Parsing extension 'Pre Shared Key/41'" \
            -c "<= write client hello" \
            -c "Selected key exchange mode: psk_ephemeral" \
-            -c "HTTP/1.0 200 OK"
+            -c "HTTP/1.0 200 OK" \
+            -c "! Certificate verification was skipped"

 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_gnutls_tls1_3
@@ -3279,7 +3335,8 @@ run_test    "TLS 1.3: m->G: ephemeral_all/ephemeral_all, good" \
            -s "Parsing extension 'Pre Shared Key/41'" \
            -c "<= write client hello" \
            -c "Selected key exchange mode: psk_ephemeral" \
-            -c "HTTP/1.0 200 OK"
+            -c "HTTP/1.0 200 OK" \
+            -c "! Certificate verification was skipped"

 #GNUTLS-SERVER all mode
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
@@ -3301,7 +3358,8 @@ run_test    "TLS 1.3: m->G: all/all, good" \
            -s "Parsing extension 'Pre Shared Key/41'" \
            -c "<= write client hello" \
            -c "Selected key exchange mode: psk_ephemeral" \
-            -c "HTTP/1.0 200 OK"
+            -c "HTTP/1.0 200 OK" \
+            -c "! Certificate verification was skipped"

 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_gnutls_tls1_3
@@ -3322,4 +3380,5 @@ run_test    "TLS 1.3: m->G: all/ephemeral_all, good" \
            -s "Parsing extension 'Pre Shared Key/41'" \
            -c "<= write client hello" \
            -c "Selected key exchange mode: psk_ephemeral" \
-            -c "HTTP/1.0 200 OK"
+            -c "HTTP/1.0 200 OK" \
+            -c "! Certificate verification was skipped"
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -5772,6 +5772,7 @@ run_test    "Authentication: server badcert, client none" \
             key_file=$DATA_FILES_PATH/server5.key" \
            "$P_CLI debug_level=3 auth_mode=none" \
            0 \
+            -c "! Certificate verification was skipped" \
            -C "x509_verify_cert() returned" \
            -C "! The certificate is not correctly signed by the trusted CA" \
            -C "! mbedtls_ssl_handshake returned" \
@@ -5783,12 +5784,14 @@ run_test    "Authentication: server badcert, client none (1.2)" \
             key_file=$DATA_FILES_PATH/server5.key" \
            "$P_CLI force_version=tls12 debug_level=3 auth_mode=none" \
            0 \
+            -c "! Certificate verification was skipped" \
            -C "x509_verify_cert() returned" \
            -C "! The certificate is not correctly signed by the trusted CA" \
            -C "! mbedtls_ssl_handshake returned" \
            -C "send alert level=2 message=48" \
            -C "X509 - Certificate verification failed"

+
 run_test    "Authentication: server goodcert, client required, no trusted CA" \
            "$P_SRV" \
            "$P_CLI debug_level=3 auth_mode=required ca_file=none ca_path=none" \
@@ -5837,6 +5840,7 @@ run_test    "Authentication: server goodcert, client none, no trusted CA" \
            "$P_SRV" \
            "$P_CLI debug_level=3 auth_mode=none ca_file=none ca_path=none" \
            0 \
+            -c "! Certificate verification was skipped" \
            -C "x509_verify_cert() returned" \
            -C "! The certificate is not correctly signed by the trusted CA" \
            -C "! Certificate verification flags"\
@@ -5844,11 +5848,13 @@ run_test    "Authentication: server goodcert, client none, no trusted CA" \
            -C "X509 - Certificate verification failed" \
            -C "SSL - No CA Chain is set, but required to operate"

+
 requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
 run_test    "Authentication: server goodcert, client none, no trusted CA (1.2)" \
            "$P_SRV" \
            "$P_CLI force_version=tls12 debug_level=3 auth_mode=none ca_file=none ca_path=none" \
            0 \
+            -c "! Certificate verification was skipped" \
            -C "x509_verify_cert() returned" \
            -C "! The certificate is not correctly signed by the trusted CA" \
            -C "! Certificate verification flags"\
@@ -5856,6 +5862,7 @@ run_test    "Authentication: server goodcert, client none, no trusted CA (1.2)"
            -C "X509 - Certificate verification failed" \
            -C "SSL - No CA Chain is set, but required to operate"

+
 # The next few tests check what happens if the server has a valid certificate
 # that does not match its name (impersonation).

@@ -5939,12 +5946,14 @@ run_test "Authentication: hostname mismatch, client none" \
         "$P_SRV" \
         "$P_CLI auth_mode=none server_name=wrong-name debug_level=2" \
         0 \
+         -c "! Certificate verification was skipped" \
         -C "does not match with the expected CN" \
         -C "Certificate verification without having set hostname" \
         -C "Certificate verification without CN verification" \
         -C "x509_verify_cert() returned -" \
         -C "X509 - Certificate verification failed"

+
 run_test "Authentication: hostname null, client required" \
         "$P_SRV" \
         "$P_CLI auth_mode=required set_hostname=NULL debug_level=2" \
@@ -5970,12 +5979,14 @@ run_test "Authentication: hostname null, client none" \
         "$P_SRV" \
         "$P_CLI auth_mode=none set_hostname=NULL debug_level=2" \
         0 \
+         -c "! Certificate verification was skipped" \
         -C "does not match with the expected CN" \
         -C "Certificate verification without having set hostname" \
         -C "Certificate verification without CN verification" \
         -C "x509_verify_cert() returned -" \
         -C "X509 - Certificate verification failed"

+
 run_test "Authentication: hostname unset, client required" \
         "$P_SRV" \
         "$P_CLI auth_mode=required set_hostname=no debug_level=2" \
@@ -6015,6 +6026,7 @@ run_test "Authentication: hostname unset, client none" \
         "$P_SRV" \
         "$P_CLI auth_mode=none set_hostname=no debug_level=2" \
         0 \
+         -c "! Certificate verification was skipped" \
         -C "does not match with the expected CN" \
         -C "Certificate verification without having set hostname" \
         -C "Certificate verification without CN verification" \
@@ -6173,6 +6185,7 @@ run_test    "Authentication: client badcert, server none" \
            "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/server5-badsign.crt \
             key_file=$DATA_FILES_PATH/server5.key" \
            0 \
+            -s "! Certificate verification was skipped" \
            -s "skip write certificate request" \
            -C "skip parse certificate request" \
            -c "got no certificate request" \
@@ -6280,6 +6293,7 @@ run_test    "Authentication: server max_int+1 chain, client none" \
            "$P_CLI force_version=tls12 server_name=CA10 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt \
                    auth_mode=none" \
            0 \
+            -c "! Certificate verification was skipped" \
            -C "X509 - A fatal error occurred"

 requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
--- a/tests/suites/test_suite_ssl.data
+++ b/tests/suites/test_suite_ssl.data
@@ -3527,3 +3527,6 @@ ssl_tls_exporter_too_early:MBEDTLS_SSL_VERSION_TLS1_3:1:MBEDTLS_SSL_SERVER_CERTI

 TLS fatal alert getter
 ssl_get_alert_after_fatal
+
+Default verify_result before doing a handshake
+verify_result_without_handshake
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function
@@ -6040,3 +6040,46 @@ exit:
    USE_PSA_DONE();
 }
 /* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
+void verify_result_without_handshake(void)
+{
+    /* Test the result of verification before we perform a handshake. */
+    mbedtls_ssl_context ssl;
+    mbedtls_ssl_config conf;
+
+    PSA_INIT();
+
+    mbedtls_ssl_init(&ssl);
+    mbedtls_ssl_config_init(&conf);
+
+    TEST_EQUAL(mbedtls_ssl_config_defaults(&conf,
+                                           MBEDTLS_SSL_IS_CLIENT,
+                                           MBEDTLS_SSL_TRANSPORT_STREAM,
+                                           MBEDTLS_SSL_PRESET_DEFAULT), 0);
+
+    mbedtls_ssl_conf_authmode(&conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
+    mbedtls_ssl_conf_ca_chain(&conf, NULL, NULL);
+
+    TEST_EQUAL(mbedtls_ssl_setup(&ssl, &conf), 0);
+
+    uint32_t verify_result = mbedtls_ssl_get_verify_result(&ssl);
+
+    TEST_EQUAL(verify_result, 0xFFFFFFFF);
+
+    /* Set the verify result manually and check that session_free resets it. */
+
+    /* Set the verify result to 0. */
+    ssl.session_negotiate->verify_result = 0;
+
+    mbedtls_ssl_session_free(ssl.session_negotiate);
+
+    verify_result = mbedtls_ssl_get_verify_result(&ssl);
+    TEST_EQUAL(verify_result, 0xFFFFFFFF);
+
+exit:
+    mbedtls_ssl_config_free(&conf);
+    mbedtls_ssl_free(&ssl);
+    PSA_DONE();
+}
+/* END_CASE */