From 4ead42f4e351a637e0ffb64a56075d6c5fadeea2 Mon Sep 17 00:00:00 2001
From: Přemysl Janouch
Date: Sun, 12 Jul 2015 01:58:38 +0200
Subject: degesch: fix certificate verification
Also print some certificate information while connecting.
---
degesch.c | 32 ++++++++++++++++++++++++++++++--
1 file changed, 30 insertions(+), 2 deletions(-)
diff --git a/degesch.c b/degesch.c
index 2cd31ff..9eb1882 100644
--- a/degesch.c
+++ b/degesch.c
@@ -3842,12 +3842,40 @@ struct transport_tls_data
bool ssl_tx_want_rx; ///< SSL_write() wants to read
};
+/// The index in SSL_CTX user data for a reference to the server
+static int g_transport_tls_data_index = -1;
+
+static int
+transport_tls_verify_callback (int preverify_ok, X509_STORE_CTX *ctx)
+{
+ SSL *ssl = X509_STORE_CTX_get_ex_data
+ (ctx, SSL_get_ex_data_X509_STORE_CTX_idx ());
+ struct server *s = SSL_CTX_get_ex_data
+ (SSL_get_SSL_CTX (ssl), g_transport_tls_data_index);
+
+ X509 *cert = X509_STORE_CTX_get_current_cert (ctx);
+ char *subject = X509_NAME_oneline (X509_get_subject_name (cert), NULL, 0);
+ char *issuer = X509_NAME_oneline (X509_get_issuer_name (cert), NULL, 0);
+
+ log_server_status (s, s->buffer, "Certificate subject: #s", subject);
+ log_server_status (s, s->buffer, "Certificate issuer: #s", issuer);
+
+ free (subject);
+ free (issuer);
+ return preverify_ok;
+}
+
static bool
transport_tls_init_ctx (struct server *s, SSL_CTX *ssl_ctx, struct error **e)
{
bool verify = get_config_boolean (s->config, "ssl_verify");
- if (!verify)
- SSL_CTX_set_verify (ssl_ctx, SSL_VERIFY_NONE, NULL);
+ SSL_CTX_set_verify (ssl_ctx, verify ? SSL_VERIFY_PEER : SSL_VERIFY_NONE,
+ transport_tls_verify_callback);
+
+ if (g_transport_tls_data_index == -1)
+ g_transport_tls_data_index =
+ SSL_CTX_get_ex_new_index (0, "server", NULL, NULL, NULL);
+ SSL_CTX_set_ex_data (ssl_ctx, g_transport_tls_data_index, s);
// TODO: allow specifying SSL_CTX_set_cipher_list()
SSL_CTX_set_mode (ssl_ctx,
--
cgit v1.2.3-70-g09d2