fix acceptance of trusted SSL certs
we should make no assumptions about the layout of OpenSSL's certificate store, in particular when they are wrong. so copy the interesting part instead of "deep-linking" into it. this code is uglier than it should be, but OpenSSL's extensive use of macros to manage data types would force us to include the ssl headers into our headers otherwise, which would be even uglier. REFMAIL: <545442CC.9020400@nodivisions.com>
This commit is contained in:
parent
47897d2403
commit
6f7d416bb8
|
@ -178,11 +178,11 @@ ssl_verify_callback( int ok, X509_STORE_CTX *ctx )
|
||||||
|
|
||||||
if (!conn->force_trusted) {
|
if (!conn->force_trusted) {
|
||||||
X509 *cert = sk_X509_value( ctx->chain, 0 );
|
X509 *cert = sk_X509_value( ctx->chain, 0 );
|
||||||
STACK_OF(X509_OBJECT) *trusted = ctx->ctx->objs;
|
STACK_OF(X509_OBJECT) *trusted = (STACK_OF(X509_OBJECT) *)conn->conf->trusted_certs;
|
||||||
unsigned i;
|
int i;
|
||||||
|
|
||||||
conn->force_trusted = -1;
|
conn->force_trusted = -1;
|
||||||
for (i = 0; i < conn->conf->num_trusted; i++) {
|
for (i = 0; i < sk_X509_OBJECT_num( trusted ); i++) {
|
||||||
if (!X509_cmp( cert, sk_X509_OBJECT_value( trusted, i )->data.x509 )) {
|
if (!X509_cmp( cert, sk_X509_OBJECT_value( trusted, i )->data.x509 )) {
|
||||||
conn->force_trusted = 1;
|
conn->force_trusted = 1;
|
||||||
break;
|
break;
|
||||||
|
@ -227,7 +227,7 @@ init_ssl_ctx( const server_conf_t *conf )
|
||||||
conf->cert_file, ERR_error_string( ERR_get_error(), 0 ) );
|
conf->cert_file, ERR_error_string( ERR_get_error(), 0 ) );
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
mconf->num_trusted = sk_X509_OBJECT_num( SSL_CTX_get_cert_store( mconf->SSLContext )->objs );
|
mconf->trusted_certs = (_STACK *)sk_X509_OBJECT_dup( SSL_CTX_get_cert_store( mconf->SSLContext )->objs );
|
||||||
if (!SSL_CTX_set_default_verify_paths( mconf->SSLContext ))
|
if (!SSL_CTX_set_default_verify_paths( mconf->SSLContext ))
|
||||||
warn( "Warning: Unable to load default certificate files: %s\n",
|
warn( "Warning: Unable to load default certificate files: %s\n",
|
||||||
ERR_error_string( ERR_get_error(), 0 ) );
|
ERR_error_string( ERR_get_error(), 0 ) );
|
||||||
|
|
|
@ -27,6 +27,7 @@
|
||||||
|
|
||||||
typedef struct ssl_st SSL;
|
typedef struct ssl_st SSL;
|
||||||
typedef struct ssl_ctx_st SSL_CTX;
|
typedef struct ssl_ctx_st SSL_CTX;
|
||||||
|
typedef struct stack_st _STACK;
|
||||||
|
|
||||||
typedef struct server_conf {
|
typedef struct server_conf {
|
||||||
char *tunnel;
|
char *tunnel;
|
||||||
|
@ -39,7 +40,7 @@ typedef struct server_conf {
|
||||||
|
|
||||||
/* these are actually variables and are leaked at the end */
|
/* these are actually variables and are leaked at the end */
|
||||||
char ssl_ctx_valid;
|
char ssl_ctx_valid;
|
||||||
unsigned num_trusted;
|
_STACK *trusted_certs;
|
||||||
SSL_CTX *SSLContext;
|
SSL_CTX *SSLContext;
|
||||||
#endif
|
#endif
|
||||||
} server_conf_t;
|
} server_conf_t;
|
||||||
|
|
Loading…
Reference in New Issue
Block a user