degesch: fix certificate verification

Also print some certificate information while connecting.
2015-07-12 01:58:38 +02:00 · 2015-07-12 01:58:38 +02:00 · 4ead42f4e3
commit 4ead42f4e3
parent 20b317db30
1 changed files with 30 additions and 2 deletions
--- a/degesch.c
+++ b/degesch.c
@ -3842,12 +3842,40 @@ struct transport_tls_data
 	bool ssl_tx_want_rx;                ///< SSL_write() wants to read
 };

+/// The index in SSL_CTX user data for a reference to the server
+static int g_transport_tls_data_index = -1;
+
+static int
+transport_tls_verify_callback (int preverify_ok, X509_STORE_CTX *ctx)
+{
+	SSL *ssl = X509_STORE_CTX_get_ex_data
+		(ctx, SSL_get_ex_data_X509_STORE_CTX_idx ());
+	struct server *s = SSL_CTX_get_ex_data
+		(SSL_get_SSL_CTX (ssl), g_transport_tls_data_index);
+
+	X509 *cert = X509_STORE_CTX_get_current_cert (ctx);
+	char *subject = X509_NAME_oneline (X509_get_subject_name (cert), NULL, 0);
+	char *issuer  = X509_NAME_oneline (X509_get_issuer_name  (cert), NULL, 0);
+
+	log_server_status (s, s->buffer, "Certificate subject: #s", subject);
+	log_server_status (s, s->buffer, "Certificate issuer: #s", issuer);
+
+	free (subject);
+	free (issuer);
+	return preverify_ok;
+}
+
 static bool
 transport_tls_init_ctx (struct server *s, SSL_CTX *ssl_ctx, struct error **e)
 {
 	bool verify = get_config_boolean (s->config, "ssl_verify");
-	if (!verify)
-		SSL_CTX_set_verify (ssl_ctx, SSL_VERIFY_NONE, NULL);
+	SSL_CTX_set_verify (ssl_ctx, verify ? SSL_VERIFY_PEER : SSL_VERIFY_NONE,
+		transport_tls_verify_callback);
+
+	if (g_transport_tls_data_index == -1)
+		g_transport_tls_data_index =
+			SSL_CTX_get_ex_new_index (0, "server", NULL, NULL, NULL);
+	SSL_CTX_set_ex_data (ssl_ctx, g_transport_tls_data_index, s);

 	// TODO: allow specifying SSL_CTX_set_cipher_list()
 	SSL_CTX_set_mode (ssl_ctx,