summaryrefslogtreecommitdiff
path: root/degesch.c
diff options
context:
space:
mode:
Diffstat (limited to 'degesch.c')
-rw-r--r--degesch.c29
1 files changed, 18 insertions, 11 deletions
diff --git a/degesch.c b/degesch.c
index 615ebb7..5a5110f 100644
--- a/degesch.c
+++ b/degesch.c
@@ -1067,7 +1067,7 @@ enum transport_io_result
TRANSPORT_IO_ERROR ///< Connection error
};
-// The only real purpose of this is to abstract away TLS/SSL
+// The only real purpose of this is to abstract away TLS
struct transport
{
/// Initialize the transport
@@ -1530,11 +1530,11 @@ static struct config_schema g_config_server[] =
.validate = config_validate_nonjunk_string },
{ .name = "ssl",
- .comment = "Whether to use SSL/TLS",
+ .comment = "Whether to use TLS",
.type = CONFIG_ITEM_BOOLEAN,
.default_ = "off" },
{ .name = "ssl_cert",
- .comment = "Client SSL certificate (PEM)",
+ .comment = "Client TLS certificate (PEM)",
.type = CONFIG_ITEM_STRING },
{ .name = "ssl_verify",
.comment = "Whether to verify certificates",
@@ -3866,12 +3866,12 @@ static struct transport g_transport_plain =
.get_poll_events = transport_plain_get_poll_events,
};
-// --- SSL/TLS transport -------------------------------------------------------
+// --- TLS transport -----------------------------------------------------------
struct transport_tls_data
{
SSL_CTX *ssl_ctx; ///< SSL context
- SSL *ssl; ///< SSL/TLS connection
+ SSL *ssl; ///< SSL connection
bool ssl_rx_want_tx; ///< SSL_read() wants to write
bool ssl_tx_want_rx; ///< SSL_write() wants to read
};
@@ -3931,6 +3931,8 @@ transport_tls_init_ctx (struct server *s, SSL_CTX *ssl_ctx, struct error **e)
const char *ca_file = get_config_string (s->config, "ssl_ca_file");
const char *ca_path = get_config_string (s->config, "ssl_ca_path");
+ ERR_clear_error ();
+
struct error *error = NULL;
if (ca_file || ca_path)
{
@@ -3972,6 +3974,8 @@ transport_tls_init_cert (struct server *s, SSL *ssl, struct error **e)
if (!ssl_cert)
return true;
+ ERR_clear_error ();
+
bool result = false;
char *path = resolve_filename (ssl_cert, resolve_relative_config_filename);
if (!path)
@@ -3990,18 +3994,19 @@ transport_tls_init_cert (struct server *s, SSL *ssl, struct error **e)
static bool
transport_tls_init (struct server *s, struct error **e)
{
- const char *error_info = NULL;
+ ERR_clear_error ();
+
+ struct error *error = NULL;
SSL_CTX *ssl_ctx = SSL_CTX_new (SSLv23_client_method ());
if (!ssl_ctx)
goto error_ssl_1;
- if (!transport_tls_init_ctx (s, ssl_ctx, e))
+ if (!transport_tls_init_ctx (s, ssl_ctx, &error))
goto error_ssl_2;
SSL *ssl = SSL_new (ssl_ctx);
if (!ssl)
goto error_ssl_2;
- struct error *error = NULL;
if (!transport_tls_init_cert (s, ssl, &error))
{
// XXX: is this a reason to abort the connection?
@@ -4028,9 +4033,11 @@ error_ssl_3:
error_ssl_2:
SSL_CTX_free (ssl_ctx);
error_ssl_1:
- if (!error_info)
- error_info = ERR_reason_error_string (ERR_get_error ());
- error_set (e, "%s: %s", "could not initialize SSL/TLS", error_info);
+ if (!error)
+ error_set (&error, "%s: %s", "Could not initialize TLS",
+ ERR_reason_error_string (ERR_get_error ()));
+
+ error_propagate (e, error);
return false;
}