degesch: fix certificate verification

Also print some certificate information while connecting.
This commit is contained in:
Přemysl Eric Janouch 2015-07-12 01:58:38 +02:00
parent 20b317db30
commit 4ead42f4e3

View File

@ -3842,12 +3842,40 @@ struct transport_tls_data
bool ssl_tx_want_rx; ///< SSL_write() wants to read
};
/// The index in SSL_CTX user data for a reference to the server
static int g_transport_tls_data_index = -1;
static int
transport_tls_verify_callback (int preverify_ok, X509_STORE_CTX *ctx)
{
SSL *ssl = X509_STORE_CTX_get_ex_data
(ctx, SSL_get_ex_data_X509_STORE_CTX_idx ());
struct server *s = SSL_CTX_get_ex_data
(SSL_get_SSL_CTX (ssl), g_transport_tls_data_index);
X509 *cert = X509_STORE_CTX_get_current_cert (ctx);
char *subject = X509_NAME_oneline (X509_get_subject_name (cert), NULL, 0);
char *issuer = X509_NAME_oneline (X509_get_issuer_name (cert), NULL, 0);
log_server_status (s, s->buffer, "Certificate subject: #s", subject);
log_server_status (s, s->buffer, "Certificate issuer: #s", issuer);
free (subject);
free (issuer);
return preverify_ok;
}
static bool
transport_tls_init_ctx (struct server *s, SSL_CTX *ssl_ctx, struct error **e)
{
bool verify = get_config_boolean (s->config, "ssl_verify");
if (!verify)
SSL_CTX_set_verify (ssl_ctx, SSL_VERIFY_NONE, NULL);
SSL_CTX_set_verify (ssl_ctx, verify ? SSL_VERIFY_PEER : SSL_VERIFY_NONE,
transport_tls_verify_callback);
if (g_transport_tls_data_index == -1)
g_transport_tls_data_index =
SSL_CTX_get_ex_new_index (0, "server", NULL, NULL, NULL);
SSL_CTX_set_ex_data (ssl_ctx, g_transport_tls_data_index, s);
// TODO: allow specifying SSL_CTX_set_cipher_list()
SSL_CTX_set_mode (ssl_ctx,