From 2dd5d86c44231e570a62277f92e08d1fb741841f Mon Sep 17 00:00:00 2001
From: Simon Rettberg
Date: Wed, 21 Oct 2015 09:58:28 +0200
Subject: Always load default verify locations too when using cert validation.
 Also quit when initial connect fails in SSL mode.

---
 openssl.c | 21 +++++++++++++--------
 1 file changed, 13 insertions(+), 8 deletions(-)

(limited to 'openssl.c')

diff --git a/openssl.c b/openssl.c
index a1684cd..1dd5ba9 100644
--- a/openssl.c
+++ b/openssl.c
@@ -40,7 +40,7 @@ SSL_CTX* ssl_newServerCtx(char *certfile, char *keyfile)
 	SSL_CTX_use_certificate_file(ctx, certfile, SSL_FILETYPE_PEM);
 	SSL_CTX_use_PrivateKey_file(ctx, keyfile, SSL_FILETYPE_PEM);
 	if (!SSL_CTX_check_private_key(ctx)) ssl_printErrors("Could not load cert/private key");
-	SSL_CTX_set_mode(ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
+	SSL_CTX_set_mode(ctx, SSL_MODE_ENABLE_PARTIAL_WRITE); // SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER
 	return ctx;
 }
 
@@ -51,10 +51,15 @@ SSL_CTX* ssl_newClientCtx(const char *cabundle)
 	SSL_CTX *ctx = SSL_CTX_new(m);
 	if (ctx == NULL) ssl_printErrors("newClientCtx: ctx is NULL");
 	SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
-	SSL_CTX_set_mode(ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
+	SSL_CTX_set_mode(ctx, SSL_MODE_ENABLE_PARTIAL_WRITE); // | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER
 	if (cabundle != NULL && cabundle[0] != '\0') {
-		SSL_CTX_load_verify_locations(ctx, cabundle, NULL);
-		//SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
+		if (SSL_CTX_load_verify_locations(ctx, cabundle, NULL) == 0) {
+			ssl_printErrors("Loading trusted certs failed");
+			exit(1);
+		}
+		SSL_CTX_set_default_verify_paths(ctx);
+		printf("Loaded ca-bundle '%s'\n", cabundle);
+		//SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL); <- do this manually after SSL_connect
 	}
 	return ctx;
 }
@@ -122,7 +127,7 @@ BOOL ssl_checkCertificateHash(epoll_server_t *server)
 	// Get server cert
 	X509 *cert = SSL_get_peer_certificate(server->ssl);
 	if (cert == NULL) {
-		printf("Warning: Server %s has no certificate!\n", server->serverData->addr);
+		printf("Error: Server %s has no certificate!\n", server->serverData->addr);
 		return FALSE;
 	}
 	// Do we have a cabundle set?
@@ -130,13 +135,13 @@ BOOL ssl_checkCertificateHash(epoll_server_t *server)
 		BOOL hostOk = spc_verify_cert_hostname(cert, server->serverData->addr);
 		X509_free(cert);
 		if (!hostOk) {
-			printf("Warning: Server certificate's host name doesn't match '%s'\n", server->serverData->addr);
+			printf("Error: Server certificate's host name doesn't match '%s'\n", server->serverData->addr);
 			return FALSE;
 		}
 		long res = SSL_get_verify_result(server->ssl);
 		if(X509_V_OK != res) {
-			printf("Warning: Server %s's certificate cannot be verified with given cabundle %s\n",
-					server->serverData->addr, server->serverData->cabundle);
+			printf("Error: Server %s's certificate cannot be verified with given cabundle %s (result: %ld)\n",
+					server->serverData->addr, server->serverData->cabundle, res);
 			return FALSE;
 		}
 		return TRUE;
-- 
cgit v1.2.3-55-g7522