Allow specifying the CA bundle in configuration

This commit is contained in:
Přemysl Eric Janouch 2015-04-08 20:29:53 +02:00
parent e1d2626f10
commit ad094ebb4b

View File

@ -69,6 +69,10 @@ static struct config_item g_config_table[] =
{ ATTR_ERROR, NULL, "Terminal attributes for errors" }, { ATTR_ERROR, NULL, "Terminal attributes for errors" },
{ ATTR_INCOMING, NULL, "Terminal attributes for incoming traffic" }, { ATTR_INCOMING, NULL, "Terminal attributes for incoming traffic" },
{ ATTR_OUTGOING, NULL, "Terminal attributes for outgoing traffic" }, { ATTR_OUTGOING, NULL, "Terminal attributes for outgoing traffic" },
{ "ca_file", NULL, "OpenSSL trusted CA certificates file" },
{ "ca_path", NULL, "OpenSSL trusted CA certificates path" },
{ NULL, NULL, NULL } { NULL, NULL, NULL }
}; };
@ -984,6 +988,29 @@ backend_ws_establish_connection (struct app_context *ctx,
return true; return true;
} }
static bool
backend_ws_set_up_ssl_ctx (struct app_context *ctx)
{
struct ws_context *self = &ctx->ws;
if (ctx->trust_all)
{
SSL_CTX_set_verify (self->ssl_ctx, SSL_VERIFY_NONE, NULL);
return true;
}
const char *ca_file = str_map_find (&ctx->config, "ca_file");
const char *ca_path = str_map_find (&ctx->config, "ca_path");
if (ca_file || ca_path)
{
if (SSL_CTX_load_verify_locations (self->ssl_ctx, ca_file, ca_path))
return true;
print_warning ("%s: %s",
"failed to set locations for trusted CA certificates",
ERR_reason_error_string (ERR_get_error ()));
}
return SSL_CTX_set_default_verify_paths (self->ssl_ctx);
}
static bool static bool
backend_ws_initialize_tls (struct app_context *ctx, backend_ws_initialize_tls (struct app_context *ctx,
const char *server_name, struct error **e) const char *server_name, struct error **e)
@ -994,9 +1021,8 @@ backend_ws_initialize_tls (struct app_context *ctx,
{ {
if (!(self->ssl_ctx = SSL_CTX_new (SSLv23_client_method ()))) if (!(self->ssl_ctx = SSL_CTX_new (SSLv23_client_method ())))
goto error_ssl_1; goto error_ssl_1;
if (ctx->trust_all) if (!backend_ws_set_up_ssl_ctx (ctx))
SSL_CTX_set_verify (self->ssl_ctx, SSL_VERIFY_NONE, NULL); goto error_ssl_2;
// XXX: how do we check certificates?
} }
self->ssl = SSL_new (self->ssl_ctx); self->ssl = SSL_new (self->ssl_ctx);
@ -1530,6 +1556,15 @@ backend_curl_init (struct app_context *ctx,
ctx->trust_all ? 0L : 2L) ctx->trust_all ? 0L : 2L)
|| curl_easy_setopt (curl, CURLOPT_URL, endpoint)) || curl_easy_setopt (curl, CURLOPT_URL, endpoint))
exit_fatal ("cURL setup failed"); exit_fatal ("cURL setup failed");
if (!ctx->trust_all)
{
const char *ca_file = str_map_find (&ctx->config, "ca_file");
const char *ca_path = str_map_find (&ctx->config, "ca_path");
if ((ca_file && !curl_easy_setopt (curl, CURLOPT_CAINFO, ca_file))
|| (ca_path && !curl_easy_setopt (curl, CURLOPT_CAPATH, ca_path)))
exit_fatal ("cURL setup failed");
}
} }
static void static void