- accept unset CertificateFile

- print the certificate's fingerprint
- make the certificate acceptance prompt much less scary
This commit is contained in:
Oswald Buddenhagen 2008-04-12 08:58:50 +00:00
parent 89519e343c
commit 06521da30d

View File

@ -188,9 +188,11 @@ static int
verify_cert( SSL *ssl ) verify_cert( SSL *ssl )
{ {
X509 *cert; X509 *cert;
int err;
char buf[256];
BIO *bio; BIO *bio;
int err;
unsigned n, i;
char buf[256];
unsigned char md[EVP_MAX_MD_SIZE];
cert = SSL_get_peer_certificate( ssl ); cert = SSL_get_peer_certificate( ssl );
if (!cert) { if (!cert) {
@ -219,15 +221,18 @@ verify_cert( SSL *ssl )
BIO_read( bio, buf, sizeof(buf) - 1 ); BIO_read( bio, buf, sizeof(buf) - 1 );
BIO_free( bio ); BIO_free( bio );
info( " to: %s\n", buf ); info( " to: %s\n", buf );
if (!X509_digest( cert, EVP_md5(), md, &n ))
fputs( "\n*** WARNING *** There is no way to verify this certificate. It is\n" info( "*** Unable to calculate fingerprint\n" );
" possible that a hostile attacker has replaced the\n" else {
" server certificate. Continue at your own risk!\n" info( "Fingerprint: " );
"\nAccept this certificate anyway? [no]: ", stderr ); for (i = 0; i < n; i += 2)
if (fgets( buf, sizeof(buf), stdin ) && (buf[0] == 'y' || buf[0] == 'Y')) { info( "%02X%02X ", md[i], md[i + 1] );
error( "\n*** Fine, but don't say I didn't warn you!\n\n" ); info( "\n" );
return 0;
} }
fputs( "\nAccept certificate? [y/N]: ", stderr );
if (fgets( buf, sizeof(buf), stdin ) && (buf[0] == 'y' || buf[0] == 'Y'))
return 0;
return -1; return -1;
} }
@ -245,8 +250,7 @@ init_ssl_ctx( imap_store_t *ctx )
ctx->SSLContext = SSL_CTX_new( method ); ctx->SSLContext = SSL_CTX_new( method );
if (!srvc->cert_file) { if (!srvc->cert_file) {
error( "Error, CertificateFile not defined\n" ); info( "Note: CertificateFile not defined\n" );
return -1;
} else if (!SSL_CTX_load_verify_locations( ctx->SSLContext, srvc->cert_file, NULL )) { } else if (!SSL_CTX_load_verify_locations( ctx->SSLContext, srvc->cert_file, NULL )) {
error( "Error while loading certificate file '%s': %s\n", error( "Error while loading certificate file '%s': %s\n",
srvc->cert_file, ERR_error_string( ERR_get_error(), 0 ) ); srvc->cert_file, ERR_error_string( ERR_get_error(), 0 ) );