Fix ICE-7338

C++ IceSSL/configuration failures on macOS Sierra.

2 files changed, 15 insertions, 11 deletions

diff --git a/cpp/src/IceSSL/SecureTransportTransceiverI.cpp b/cpp/src/IceSSL/SecureTransportTransceiverI.cpp
index 2b4dff3ab25..39f73bb568a 100644
--- a/cpp/src/IceSSL/SecureTransportTransceiverI.cpp
+++ b/cpp/src/IceSSL/SecureTransportTransceiverI.cpp
@@ -136,7 +136,7 @@ checkTrustResult(SecTrustRef trust, const SecureTransportEnginePtr& engine, cons
     }
     default:
     // case kSecTrustResultInvalid:
-    // //case kSecTrustResultConfirm: // Used in old OS X versions
+    // case kSecTrustResultConfirm: // Used in old OS X versions
     // case kSecTrustResultDeny:
     // case kSecTrustResultRecoverableTrustFailure:
     // case kSecTrustResultFatalTrustFailure:
@@ -225,14 +225,11 @@ IceSSL::TransceiverI::initialize(IceInternal::Buffer& readBuffer, IceInternal::B
         {
             assert(!_trust);
             err = SSLCopyPeerTrust(_ssl, &_trust);
-            if(_incoming && err == errSSLBadCert && _engine->getVerifyPeer() == 1)
+            if(_incoming && _engine->getVerifyPeer() == 1 && (err == errSSLBadCert || _trust == 0))
             {
-                //
-                // This is expected if the client doesn't provide a
-                // certificate (occurs since 10.10). The server is
-                // configured to verify to not require the client
-                // certificate so we ignore the failure.
-                //
+                // This is expected if the client doesn't provide a certificate. With 10.10 and 10.11 errSSLBadCert
+                // is expected, the server is configured to verify but not require the client
+                // certificate so we ignore the failure. In 10.12 there is no error and trust is 0.
                 continue;
             }
             if(err == noErr)
diff --git a/cpp/test/IceSSL/configuration/AllTests.cpp b/cpp/test/IceSSL/configuration/AllTests.cpp
index cfa6506493e..10629281968 100644
--- a/cpp/test/IceSSL/configuration/AllTests.cpp
+++ b/cpp/test/IceSSL/configuration/AllTests.cpp
@@ -432,13 +432,20 @@ void
 allTests(const CommunicatorPtr& communicator, const string& testDir, bool p12, bool shutdown)
 {
 #ifdef __APPLE__
-    bool isElCapitan = false;
+    bool isElCapitanOrGreater = false;
     vector<char> s(256);
     size_t size = s.size();
     int ret = sysctlbyname("kern.osrelease", &s[0], &size, NULL, 0);
     if(ret == 0)
     {
-        isElCapitan = string(&s[0]).find("15.") == 0;
+        // version format is x.y.z
+        size_t first = string(&s[0]).find_first_of(".");
+        size_t last = string(&s[0]).find_last_of(".");
+
+        int majorVersion = atoi(string(&s[0]).substr(0, first - 1).c_str());
+        int minorVersion = atoi(string(&s[0]).substr(first + 1, last - first - 1).c_str());
+
+        isElCapitanOrGreater = majorVersion >= 15;
     }
 #endif
 
@@ -1940,7 +1947,7 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool p12, b
         }
         catch(const LocalException& ex)
         {
-            if(!isElCapitan) // DH params too weak for El Capitan
+            if(!isElCapitanOrGreater) // DH params too weak for El Capitan
             {
                 cerr << ex << endl;
                 test(false);