diff options
| author | Přemysl Janouch <p.janouch@gmail.com> | 2015-04-08 20:29:53 +0200 |
|---|---|---|
| committer | Přemysl Janouch <p.janouch@gmail.com> | 2015-04-08 20:29:53 +0200 |
| commit | ad094ebb4b54a48a2f475a9c845da1bfc9592912 (patch) | |
| tree | d364d2a6490d41e3d75a3b6a7a868449a411823a /json-rpc-shell.c | |
| parent | e1d2626f107224f049e94471e422cef885a6e3e0 (diff) | |
| download | json-rpc-shell-ad094ebb4b54a48a2f475a9c845da1bfc9592912.tar.gz json-rpc-shell-ad094ebb4b54a48a2f475a9c845da1bfc9592912.tar.xz json-rpc-shell-ad094ebb4b54a48a2f475a9c845da1bfc9592912.zip | |
Allow specifying the CA bundle in configuration
Diffstat (limited to 'json-rpc-shell.c')
| -rw-r--r-- | json-rpc-shell.c | 41 |
1 files changed, 38 insertions, 3 deletions
diff --git a/json-rpc-shell.c b/json-rpc-shell.c index a344f2b..bbff128 100644 --- a/json-rpc-shell.c +++ b/json-rpc-shell.c @@ -69,6 +69,10 @@ static struct config_item g_config_table[] = { ATTR_ERROR, NULL, "Terminal attributes for errors" }, { ATTR_INCOMING, NULL, "Terminal attributes for incoming traffic" }, { ATTR_OUTGOING, NULL, "Terminal attributes for outgoing traffic" }, + + { "ca_file", NULL, "OpenSSL trusted CA certificates file" }, + { "ca_path", NULL, "OpenSSL trusted CA certificates path" }, + { NULL, NULL, NULL } }; @@ -985,6 +989,29 @@ backend_ws_establish_connection (struct app_context *ctx, } static bool +backend_ws_set_up_ssl_ctx (struct app_context *ctx) +{ + struct ws_context *self = &ctx->ws; + if (ctx->trust_all) + { + SSL_CTX_set_verify (self->ssl_ctx, SSL_VERIFY_NONE, NULL); + return true; + } + + const char *ca_file = str_map_find (&ctx->config, "ca_file"); + const char *ca_path = str_map_find (&ctx->config, "ca_path"); + if (ca_file || ca_path) + { + if (SSL_CTX_load_verify_locations (self->ssl_ctx, ca_file, ca_path)) + return true; + print_warning ("%s: %s", + "failed to set locations for trusted CA certificates", + ERR_reason_error_string (ERR_get_error ())); + } + return SSL_CTX_set_default_verify_paths (self->ssl_ctx); +} + +static bool backend_ws_initialize_tls (struct app_context *ctx, const char *server_name, struct error **e) { @@ -994,9 +1021,8 @@ backend_ws_initialize_tls (struct app_context *ctx, { if (!(self->ssl_ctx = SSL_CTX_new (SSLv23_client_method ()))) goto error_ssl_1; - if (ctx->trust_all) - SSL_CTX_set_verify (self->ssl_ctx, SSL_VERIFY_NONE, NULL); - // XXX: how do we check certificates? + if (!backend_ws_set_up_ssl_ctx (ctx)) + goto error_ssl_2; } self->ssl = SSL_new (self->ssl_ctx); @@ -1530,6 +1556,15 @@ backend_curl_init (struct app_context *ctx, ctx->trust_all ? 0L : 2L) || curl_easy_setopt (curl, CURLOPT_URL, endpoint)) exit_fatal ("cURL setup failed"); + + if (!ctx->trust_all) + { + const char *ca_file = str_map_find (&ctx->config, "ca_file"); + const char *ca_path = str_map_find (&ctx->config, "ca_path"); + if ((ca_file && !curl_easy_setopt (curl, CURLOPT_CAINFO, ca_file)) + || (ca_path && !curl_easy_setopt (curl, CURLOPT_CAPATH, ca_path))) + exit_fatal ("cURL setup failed"); + } } static void |