From 4ead42f4e351a637e0ffb64a56075d6c5fadeea2 Mon Sep 17 00:00:00 2001 From: Přemysl Janouch Date: Sun, 12 Jul 2015 01:58:38 +0200 Subject: degesch: fix certificate verification Also print some certificate information while connecting. --- degesch.c | 32 ++++++++++++++++++++++++++++++-- 1 file changed, 30 insertions(+), 2 deletions(-) diff --git a/degesch.c b/degesch.c index 2cd31ff..9eb1882 100644 --- a/degesch.c +++ b/degesch.c @@ -3842,12 +3842,40 @@ struct transport_tls_data bool ssl_tx_want_rx; ///< SSL_write() wants to read }; +/// The index in SSL_CTX user data for a reference to the server +static int g_transport_tls_data_index = -1; + +static int +transport_tls_verify_callback (int preverify_ok, X509_STORE_CTX *ctx) +{ + SSL *ssl = X509_STORE_CTX_get_ex_data + (ctx, SSL_get_ex_data_X509_STORE_CTX_idx ()); + struct server *s = SSL_CTX_get_ex_data + (SSL_get_SSL_CTX (ssl), g_transport_tls_data_index); + + X509 *cert = X509_STORE_CTX_get_current_cert (ctx); + char *subject = X509_NAME_oneline (X509_get_subject_name (cert), NULL, 0); + char *issuer = X509_NAME_oneline (X509_get_issuer_name (cert), NULL, 0); + + log_server_status (s, s->buffer, "Certificate subject: #s", subject); + log_server_status (s, s->buffer, "Certificate issuer: #s", issuer); + + free (subject); + free (issuer); + return preverify_ok; +} + static bool transport_tls_init_ctx (struct server *s, SSL_CTX *ssl_ctx, struct error **e) { bool verify = get_config_boolean (s->config, "ssl_verify"); - if (!verify) - SSL_CTX_set_verify (ssl_ctx, SSL_VERIFY_NONE, NULL); + SSL_CTX_set_verify (ssl_ctx, verify ? SSL_VERIFY_PEER : SSL_VERIFY_NONE, + transport_tls_verify_callback); + + if (g_transport_tls_data_index == -1) + g_transport_tls_data_index = + SSL_CTX_get_ex_new_index (0, "server", NULL, NULL, NULL); + SSL_CTX_set_ex_data (ssl_ctx, g_transport_tls_data_index, s); // TODO: allow specifying SSL_CTX_set_cipher_list() SSL_CTX_set_mode (ssl_ctx, -- cgit v1.2.3-70-g09d2