From 7de4bf31651ce663874146282517d61397800e31 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?P=C5=99emysl=20Janouch?= <p.janouch@gmail.com>
Date: Fri, 10 Apr 2015 03:14:23 +0200
Subject: [PATCH] ZyklonB: actually do verify the server certificate

Bud still tolerate if it doesn't pass verification.
---
 zyklonb.c | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/zyklonb.c b/zyklonb.c
index 5426604..d375b0c 100644
--- a/zyklonb.c
+++ b/zyklonb.c
@@ -294,6 +294,18 @@ irc_send (struct bot_context *ctx, const char *format, ...)
 	return result;
 }
 
+static int
+irc_ssl_verify_callback (int preverify_ok, X509_STORE_CTX *x509_ctx)
+{
+	(void) x509_ctx;
+
+	if (!preverify_ok)
+		print_warning ("TLS certificate verification failed");
+
+	// We don't care; some encryption is always better than no encryption
+	return 1;
+}
+
 static bool
 irc_initialize_ssl (struct bot_context *ctx, struct error **e)
 {
@@ -301,8 +313,9 @@ irc_initialize_ssl (struct bot_context *ctx, struct error **e)
 	ctx->ssl_ctx = SSL_CTX_new (SSLv23_client_method ());
 	if (!ctx->ssl_ctx)
 		goto error_ssl_1;
-	// We don't care; some encryption is always better than no encryption
-	SSL_CTX_set_verify (ctx->ssl_ctx, SSL_VERIFY_NONE, NULL);
+	if (!SSL_CTX_set_default_verify_paths (ctx->ssl_ctx))
+		print_warning ("couldn't load TLS CA certificates");
+	SSL_CTX_set_verify (ctx->ssl_ctx, SSL_VERIFY_PEER, irc_ssl_verify_callback);
 	// XXX: maybe we should call SSL_CTX_set_options() for some workarounds
 
 	ctx->ssl = SSL_new (ctx->ssl_ctx);