diff options
| author | Přemysl Janouch <p.janouch@gmail.com> | 2015-04-10 03:14:23 +0200 |
|---|---|---|
| committer | Přemysl Janouch <p.janouch@gmail.com> | 2015-04-10 03:17:01 +0200 |
| commit | 7de4bf31651ce663874146282517d61397800e31 (patch) | |
| tree | 994240316cc9701ff21ba1fdadb64e910b525d9b | |
| parent | dc08f9d5ab3182de4211c50c3c4c4cd3314fa171 (diff) | |
| download | xK-7de4bf31651ce663874146282517d61397800e31.tar.gz xK-7de4bf31651ce663874146282517d61397800e31.tar.xz xK-7de4bf31651ce663874146282517d61397800e31.zip | |
ZyklonB: actually do verify the server certificate
Bud still tolerate if it doesn't pass verification.
| -rw-r--r-- | zyklonb.c | 17 |
1 files changed, 15 insertions, 2 deletions
@@ -294,6 +294,18 @@ irc_send (struct bot_context *ctx, const char *format, ...) return result; } +static int +irc_ssl_verify_callback (int preverify_ok, X509_STORE_CTX *x509_ctx) +{ + (void) x509_ctx; + + if (!preverify_ok) + print_warning ("TLS certificate verification failed"); + + // We don't care; some encryption is always better than no encryption + return 1; +} + static bool irc_initialize_ssl (struct bot_context *ctx, struct error **e) { @@ -301,8 +313,9 @@ irc_initialize_ssl (struct bot_context *ctx, struct error **e) ctx->ssl_ctx = SSL_CTX_new (SSLv23_client_method ()); if (!ctx->ssl_ctx) goto error_ssl_1; - // We don't care; some encryption is always better than no encryption - SSL_CTX_set_verify (ctx->ssl_ctx, SSL_VERIFY_NONE, NULL); + if (!SSL_CTX_set_default_verify_paths (ctx->ssl_ctx)) + print_warning ("couldn't load TLS CA certificates"); + SSL_CTX_set_verify (ctx->ssl_ctx, SSL_VERIFY_PEER, irc_ssl_verify_callback); // XXX: maybe we should call SSL_CTX_set_options() for some workarounds ctx->ssl = SSL_new (ctx->ssl_ctx); |