diff options
Diffstat (limited to 'openssl.c')
-rw-r--r-- | openssl.c | 21 |
1 files changed, 13 insertions, 8 deletions
@@ -40,7 +40,7 @@ SSL_CTX* ssl_newServerCtx(char *certfile, char *keyfile) SSL_CTX_use_certificate_file(ctx, certfile, SSL_FILETYPE_PEM); SSL_CTX_use_PrivateKey_file(ctx, keyfile, SSL_FILETYPE_PEM); if (!SSL_CTX_check_private_key(ctx)) ssl_printErrors("Could not load cert/private key"); - SSL_CTX_set_mode(ctx, SSL_MODE_ENABLE_PARTIAL_WRITE); + SSL_CTX_set_mode(ctx, SSL_MODE_ENABLE_PARTIAL_WRITE); // SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER return ctx; } @@ -51,10 +51,15 @@ SSL_CTX* ssl_newClientCtx(const char *cabundle) SSL_CTX *ctx = SSL_CTX_new(m); if (ctx == NULL) ssl_printErrors("newClientCtx: ctx is NULL"); SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2); - SSL_CTX_set_mode(ctx, SSL_MODE_ENABLE_PARTIAL_WRITE); + SSL_CTX_set_mode(ctx, SSL_MODE_ENABLE_PARTIAL_WRITE); // | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER if (cabundle != NULL && cabundle[0] != '\0') { - SSL_CTX_load_verify_locations(ctx, cabundle, NULL); - //SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL); + if (SSL_CTX_load_verify_locations(ctx, cabundle, NULL) == 0) { + ssl_printErrors("Loading trusted certs failed"); + exit(1); + } + SSL_CTX_set_default_verify_paths(ctx); + printf("Loaded ca-bundle '%s'\n", cabundle); + //SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL); <- do this manually after SSL_connect } return ctx; } @@ -122,7 +127,7 @@ BOOL ssl_checkCertificateHash(epoll_server_t *server) // Get server cert X509 *cert = SSL_get_peer_certificate(server->ssl); if (cert == NULL) { - printf("Warning: Server %s has no certificate!\n", server->serverData->addr); + printf("Error: Server %s has no certificate!\n", server->serverData->addr); return FALSE; } // Do we have a cabundle set? @@ -130,13 +135,13 @@ BOOL ssl_checkCertificateHash(epoll_server_t *server) BOOL hostOk = spc_verify_cert_hostname(cert, server->serverData->addr); X509_free(cert); if (!hostOk) { - printf("Warning: Server certificate's host name doesn't match '%s'\n", server->serverData->addr); + printf("Error: Server certificate's host name doesn't match '%s'\n", server->serverData->addr); return FALSE; } long res = SSL_get_verify_result(server->ssl); if(X509_V_OK != res) { - printf("Warning: Server %s's certificate cannot be verified with given cabundle %s\n", - server->serverData->addr, server->serverData->cabundle); + printf("Error: Server %s's certificate cannot be verified with given cabundle %s (result: %ld)\n", + server->serverData->addr, server->serverData->cabundle, res); return FALSE; } return TRUE; |