summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPřemysl Janouch <p.janouch@gmail.com>2015-04-10 03:14:23 +0200
committerPřemysl Janouch <p.janouch@gmail.com>2015-04-10 03:17:01 +0200
commit7de4bf31651ce663874146282517d61397800e31 (patch)
tree994240316cc9701ff21ba1fdadb64e910b525d9b
parentdc08f9d5ab3182de4211c50c3c4c4cd3314fa171 (diff)
downloadxK-7de4bf31651ce663874146282517d61397800e31.tar.gz
xK-7de4bf31651ce663874146282517d61397800e31.tar.xz
xK-7de4bf31651ce663874146282517d61397800e31.zip
ZyklonB: actually do verify the server certificate
Bud still tolerate if it doesn't pass verification.
-rw-r--r--zyklonb.c17
1 files changed, 15 insertions, 2 deletions
diff --git a/zyklonb.c b/zyklonb.c
index 5426604..d375b0c 100644
--- a/zyklonb.c
+++ b/zyklonb.c
@@ -294,6 +294,18 @@ irc_send (struct bot_context *ctx, const char *format, ...)
return result;
}
+static int
+irc_ssl_verify_callback (int preverify_ok, X509_STORE_CTX *x509_ctx)
+{
+ (void) x509_ctx;
+
+ if (!preverify_ok)
+ print_warning ("TLS certificate verification failed");
+
+ // We don't care; some encryption is always better than no encryption
+ return 1;
+}
+
static bool
irc_initialize_ssl (struct bot_context *ctx, struct error **e)
{
@@ -301,8 +313,9 @@ irc_initialize_ssl (struct bot_context *ctx, struct error **e)
ctx->ssl_ctx = SSL_CTX_new (SSLv23_client_method ());
if (!ctx->ssl_ctx)
goto error_ssl_1;
- // We don't care; some encryption is always better than no encryption
- SSL_CTX_set_verify (ctx->ssl_ctx, SSL_VERIFY_NONE, NULL);
+ if (!SSL_CTX_set_default_verify_paths (ctx->ssl_ctx))
+ print_warning ("couldn't load TLS CA certificates");
+ SSL_CTX_set_verify (ctx->ssl_ctx, SSL_VERIFY_PEER, irc_ssl_verify_callback);
// XXX: maybe we should call SSL_CTX_set_options() for some workarounds
ctx->ssl = SSL_new (ctx->ssl_ctx);