ZyklonB: actually do verify the server certificate
Bud still tolerate if it doesn't pass verification.
This commit is contained in:
parent
dc08f9d5ab
commit
7de4bf3165
17
zyklonb.c
17
zyklonb.c
@ -294,6 +294,18 @@ irc_send (struct bot_context *ctx, const char *format, ...)
|
||||
return result;
|
||||
}
|
||||
|
||||
static int
|
||||
irc_ssl_verify_callback (int preverify_ok, X509_STORE_CTX *x509_ctx)
|
||||
{
|
||||
(void) x509_ctx;
|
||||
|
||||
if (!preverify_ok)
|
||||
print_warning ("TLS certificate verification failed");
|
||||
|
||||
// We don't care; some encryption is always better than no encryption
|
||||
return 1;
|
||||
}
|
||||
|
||||
static bool
|
||||
irc_initialize_ssl (struct bot_context *ctx, struct error **e)
|
||||
{
|
||||
@ -301,8 +313,9 @@ irc_initialize_ssl (struct bot_context *ctx, struct error **e)
|
||||
ctx->ssl_ctx = SSL_CTX_new (SSLv23_client_method ());
|
||||
if (!ctx->ssl_ctx)
|
||||
goto error_ssl_1;
|
||||
// We don't care; some encryption is always better than no encryption
|
||||
SSL_CTX_set_verify (ctx->ssl_ctx, SSL_VERIFY_NONE, NULL);
|
||||
if (!SSL_CTX_set_default_verify_paths (ctx->ssl_ctx))
|
||||
print_warning ("couldn't load TLS CA certificates");
|
||||
SSL_CTX_set_verify (ctx->ssl_ctx, SSL_VERIFY_PEER, irc_ssl_verify_callback);
|
||||
// XXX: maybe we should call SSL_CTX_set_options() for some workarounds
|
||||
|
||||
ctx->ssl = SSL_new (ctx->ssl_ctx);
|
||||
|
Loading…
Reference in New Issue
Block a user