degesch: fix certificate verification
Also print some certificate information while connecting.
This commit is contained in:
parent
20b317db30
commit
4ead42f4e3
32
degesch.c
32
degesch.c
@ -3842,12 +3842,40 @@ struct transport_tls_data
|
||||
bool ssl_tx_want_rx; ///< SSL_write() wants to read
|
||||
};
|
||||
|
||||
/// The index in SSL_CTX user data for a reference to the server
|
||||
static int g_transport_tls_data_index = -1;
|
||||
|
||||
static int
|
||||
transport_tls_verify_callback (int preverify_ok, X509_STORE_CTX *ctx)
|
||||
{
|
||||
SSL *ssl = X509_STORE_CTX_get_ex_data
|
||||
(ctx, SSL_get_ex_data_X509_STORE_CTX_idx ());
|
||||
struct server *s = SSL_CTX_get_ex_data
|
||||
(SSL_get_SSL_CTX (ssl), g_transport_tls_data_index);
|
||||
|
||||
X509 *cert = X509_STORE_CTX_get_current_cert (ctx);
|
||||
char *subject = X509_NAME_oneline (X509_get_subject_name (cert), NULL, 0);
|
||||
char *issuer = X509_NAME_oneline (X509_get_issuer_name (cert), NULL, 0);
|
||||
|
||||
log_server_status (s, s->buffer, "Certificate subject: #s", subject);
|
||||
log_server_status (s, s->buffer, "Certificate issuer: #s", issuer);
|
||||
|
||||
free (subject);
|
||||
free (issuer);
|
||||
return preverify_ok;
|
||||
}
|
||||
|
||||
static bool
|
||||
transport_tls_init_ctx (struct server *s, SSL_CTX *ssl_ctx, struct error **e)
|
||||
{
|
||||
bool verify = get_config_boolean (s->config, "ssl_verify");
|
||||
if (!verify)
|
||||
SSL_CTX_set_verify (ssl_ctx, SSL_VERIFY_NONE, NULL);
|
||||
SSL_CTX_set_verify (ssl_ctx, verify ? SSL_VERIFY_PEER : SSL_VERIFY_NONE,
|
||||
transport_tls_verify_callback);
|
||||
|
||||
if (g_transport_tls_data_index == -1)
|
||||
g_transport_tls_data_index =
|
||||
SSL_CTX_get_ex_new_index (0, "server", NULL, NULL, NULL);
|
||||
SSL_CTX_set_ex_data (ssl_ctx, g_transport_tls_data_index, s);
|
||||
|
||||
// TODO: allow specifying SSL_CTX_set_cipher_list()
|
||||
SSL_CTX_set_mode (ssl_ctx,
|
||||
|
Loading…
Reference in New Issue
Block a user