diff options
author | Přemysl Janouch <p.janouch@gmail.com> | 2015-07-12 01:58:38 +0200 |
---|---|---|
committer | Přemysl Janouch <p.janouch@gmail.com> | 2015-07-12 01:58:38 +0200 |
commit | 4ead42f4e351a637e0ffb64a56075d6c5fadeea2 (patch) | |
tree | 27c47bd4761578607e41aa75f0fb2c0f3f15d746 | |
parent | 20b317db30c59225965ad1cea0ea32bed4ce0b51 (diff) | |
download | xK-4ead42f4e351a637e0ffb64a56075d6c5fadeea2.tar.gz xK-4ead42f4e351a637e0ffb64a56075d6c5fadeea2.tar.xz xK-4ead42f4e351a637e0ffb64a56075d6c5fadeea2.zip |
degesch: fix certificate verification
Also print some certificate information while connecting.
-rw-r--r-- | degesch.c | 32 |
1 files changed, 30 insertions, 2 deletions
@@ -3842,12 +3842,40 @@ struct transport_tls_data bool ssl_tx_want_rx; ///< SSL_write() wants to read }; +/// The index in SSL_CTX user data for a reference to the server +static int g_transport_tls_data_index = -1; + +static int +transport_tls_verify_callback (int preverify_ok, X509_STORE_CTX *ctx) +{ + SSL *ssl = X509_STORE_CTX_get_ex_data + (ctx, SSL_get_ex_data_X509_STORE_CTX_idx ()); + struct server *s = SSL_CTX_get_ex_data + (SSL_get_SSL_CTX (ssl), g_transport_tls_data_index); + + X509 *cert = X509_STORE_CTX_get_current_cert (ctx); + char *subject = X509_NAME_oneline (X509_get_subject_name (cert), NULL, 0); + char *issuer = X509_NAME_oneline (X509_get_issuer_name (cert), NULL, 0); + + log_server_status (s, s->buffer, "Certificate subject: #s", subject); + log_server_status (s, s->buffer, "Certificate issuer: #s", issuer); + + free (subject); + free (issuer); + return preverify_ok; +} + static bool transport_tls_init_ctx (struct server *s, SSL_CTX *ssl_ctx, struct error **e) { bool verify = get_config_boolean (s->config, "ssl_verify"); - if (!verify) - SSL_CTX_set_verify (ssl_ctx, SSL_VERIFY_NONE, NULL); + SSL_CTX_set_verify (ssl_ctx, verify ? SSL_VERIFY_PEER : SSL_VERIFY_NONE, + transport_tls_verify_callback); + + if (g_transport_tls_data_index == -1) + g_transport_tls_data_index = + SSL_CTX_get_ex_new_index (0, "server", NULL, NULL, NULL); + SSL_CTX_set_ex_data (ssl_ctx, g_transport_tls_data_index, s); // TODO: allow specifying SSL_CTX_set_cipher_list() SSL_CTX_set_mode (ssl_ctx, |