From ad094ebb4b54a48a2f475a9c845da1bfc9592912 Mon Sep 17 00:00:00 2001 From: Přemysl Janouch Date: Wed, 8 Apr 2015 20:29:53 +0200 Subject: Allow specifying the CA bundle in configuration --- json-rpc-shell.c | 41 ++++++++++++++++++++++++++++++++++++++--- 1 file changed, 38 insertions(+), 3 deletions(-) diff --git a/json-rpc-shell.c b/json-rpc-shell.c index a344f2b..bbff128 100644 --- a/json-rpc-shell.c +++ b/json-rpc-shell.c @@ -69,6 +69,10 @@ static struct config_item g_config_table[] = { ATTR_ERROR, NULL, "Terminal attributes for errors" }, { ATTR_INCOMING, NULL, "Terminal attributes for incoming traffic" }, { ATTR_OUTGOING, NULL, "Terminal attributes for outgoing traffic" }, + + { "ca_file", NULL, "OpenSSL trusted CA certificates file" }, + { "ca_path", NULL, "OpenSSL trusted CA certificates path" }, + { NULL, NULL, NULL } }; @@ -984,6 +988,29 @@ backend_ws_establish_connection (struct app_context *ctx, return true; } +static bool +backend_ws_set_up_ssl_ctx (struct app_context *ctx) +{ + struct ws_context *self = &ctx->ws; + if (ctx->trust_all) + { + SSL_CTX_set_verify (self->ssl_ctx, SSL_VERIFY_NONE, NULL); + return true; + } + + const char *ca_file = str_map_find (&ctx->config, "ca_file"); + const char *ca_path = str_map_find (&ctx->config, "ca_path"); + if (ca_file || ca_path) + { + if (SSL_CTX_load_verify_locations (self->ssl_ctx, ca_file, ca_path)) + return true; + print_warning ("%s: %s", + "failed to set locations for trusted CA certificates", + ERR_reason_error_string (ERR_get_error ())); + } + return SSL_CTX_set_default_verify_paths (self->ssl_ctx); +} + static bool backend_ws_initialize_tls (struct app_context *ctx, const char *server_name, struct error **e) @@ -994,9 +1021,8 @@ backend_ws_initialize_tls (struct app_context *ctx, { if (!(self->ssl_ctx = SSL_CTX_new (SSLv23_client_method ()))) goto error_ssl_1; - if (ctx->trust_all) - SSL_CTX_set_verify (self->ssl_ctx, SSL_VERIFY_NONE, NULL); - // XXX: how do we check certificates? + if (!backend_ws_set_up_ssl_ctx (ctx)) + goto error_ssl_2; } self->ssl = SSL_new (self->ssl_ctx); @@ -1530,6 +1556,15 @@ backend_curl_init (struct app_context *ctx, ctx->trust_all ? 0L : 2L) || curl_easy_setopt (curl, CURLOPT_URL, endpoint)) exit_fatal ("cURL setup failed"); + + if (!ctx->trust_all) + { + const char *ca_file = str_map_find (&ctx->config, "ca_file"); + const char *ca_path = str_map_find (&ctx->config, "ca_path"); + if ((ca_file && !curl_easy_setopt (curl, CURLOPT_CAINFO, ca_file)) + || (ca_path && !curl_easy_setopt (curl, CURLOPT_CAPATH, ca_path))) + exit_fatal ("cURL setup failed"); + } } static void -- cgit v1.2.3-70-g09d2