diff options
| author | Simon Rettberg | 2015-10-21 09:58:28 +0200 |
|---|---|---|
| committer | Simon Rettberg | 2015-10-21 09:58:28 +0200 |
| commit | 2dd5d86c44231e570a62277f92e08d1fb741841f (patch) | |
| tree | fd414a63830cd0bebe26b8992f85878229199550 /openssl.c | |
| parent | Support certificate verification by ca-bundle and hostname (diff) | |
| download | ldadp-2dd5d86c44231e570a62277f92e08d1fb741841f.tar.gz ldadp-2dd5d86c44231e570a62277f92e08d1fb741841f.tar.xz ldadp-2dd5d86c44231e570a62277f92e08d1fb741841f.zip | |
Always load default verify locations too when using cert validation. Also quit when initial connect fails in SSL mode.
Diffstat (limited to 'openssl.c')
| -rw-r--r-- | openssl.c | 21 |
1 files changed, 13 insertions, 8 deletions
@@ -40,7 +40,7 @@ SSL_CTX* ssl_newServerCtx(char *certfile, char *keyfile) SSL_CTX_use_certificate_file(ctx, certfile, SSL_FILETYPE_PEM); SSL_CTX_use_PrivateKey_file(ctx, keyfile, SSL_FILETYPE_PEM); if (!SSL_CTX_check_private_key(ctx)) ssl_printErrors("Could not load cert/private key"); - SSL_CTX_set_mode(ctx, SSL_MODE_ENABLE_PARTIAL_WRITE); + SSL_CTX_set_mode(ctx, SSL_MODE_ENABLE_PARTIAL_WRITE); // SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER return ctx; } @@ -51,10 +51,15 @@ SSL_CTX* ssl_newClientCtx(const char *cabundle) SSL_CTX *ctx = SSL_CTX_new(m); if (ctx == NULL) ssl_printErrors("newClientCtx: ctx is NULL"); SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2); - SSL_CTX_set_mode(ctx, SSL_MODE_ENABLE_PARTIAL_WRITE); + SSL_CTX_set_mode(ctx, SSL_MODE_ENABLE_PARTIAL_WRITE); // | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER if (cabundle != NULL && cabundle[0] != '\0') { - SSL_CTX_load_verify_locations(ctx, cabundle, NULL); - //SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL); + if (SSL_CTX_load_verify_locations(ctx, cabundle, NULL) == 0) { + ssl_printErrors("Loading trusted certs failed"); + exit(1); + } + SSL_CTX_set_default_verify_paths(ctx); + printf("Loaded ca-bundle '%s'\n", cabundle); + //SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL); <- do this manually after SSL_connect } return ctx; } @@ -122,7 +127,7 @@ BOOL ssl_checkCertificateHash(epoll_server_t *server) // Get server cert X509 *cert = SSL_get_peer_certificate(server->ssl); if (cert == NULL) { - printf("Warning: Server %s has no certificate!\n", server->serverData->addr); + printf("Error: Server %s has no certificate!\n", server->serverData->addr); return FALSE; } // Do we have a cabundle set? @@ -130,13 +135,13 @@ BOOL ssl_checkCertificateHash(epoll_server_t *server) BOOL hostOk = spc_verify_cert_hostname(cert, server->serverData->addr); X509_free(cert); if (!hostOk) { - printf("Warning: Server certificate's host name doesn't match '%s'\n", server->serverData->addr); + printf("Error: Server certificate's host name doesn't match '%s'\n", server->serverData->addr); return FALSE; } long res = SSL_get_verify_result(server->ssl); if(X509_V_OK != res) { - printf("Warning: Server %s's certificate cannot be verified with given cabundle %s\n", - server->serverData->addr, server->serverData->cabundle); + printf("Error: Server %s's certificate cannot be verified with given cabundle %s (result: %ld)\n", + server->serverData->addr, server->serverData->cabundle, res); return FALSE; } return TRUE; |