ZyklonB: actually do verify the server certificate
Bud still tolerate if it doesn't pass verification.
This commit is contained in:
parent
dc08f9d5ab
commit
7de4bf3165
17
zyklonb.c
17
zyklonb.c
@ -294,6 +294,18 @@ irc_send (struct bot_context *ctx, const char *format, ...)
|
|||||||
return result;
|
return result;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static int
|
||||||
|
irc_ssl_verify_callback (int preverify_ok, X509_STORE_CTX *x509_ctx)
|
||||||
|
{
|
||||||
|
(void) x509_ctx;
|
||||||
|
|
||||||
|
if (!preverify_ok)
|
||||||
|
print_warning ("TLS certificate verification failed");
|
||||||
|
|
||||||
|
// We don't care; some encryption is always better than no encryption
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
static bool
|
static bool
|
||||||
irc_initialize_ssl (struct bot_context *ctx, struct error **e)
|
irc_initialize_ssl (struct bot_context *ctx, struct error **e)
|
||||||
{
|
{
|
||||||
@ -301,8 +313,9 @@ irc_initialize_ssl (struct bot_context *ctx, struct error **e)
|
|||||||
ctx->ssl_ctx = SSL_CTX_new (SSLv23_client_method ());
|
ctx->ssl_ctx = SSL_CTX_new (SSLv23_client_method ());
|
||||||
if (!ctx->ssl_ctx)
|
if (!ctx->ssl_ctx)
|
||||||
goto error_ssl_1;
|
goto error_ssl_1;
|
||||||
// We don't care; some encryption is always better than no encryption
|
if (!SSL_CTX_set_default_verify_paths (ctx->ssl_ctx))
|
||||||
SSL_CTX_set_verify (ctx->ssl_ctx, SSL_VERIFY_NONE, NULL);
|
print_warning ("couldn't load TLS CA certificates");
|
||||||
|
SSL_CTX_set_verify (ctx->ssl_ctx, SSL_VERIFY_PEER, irc_ssl_verify_callback);
|
||||||
// XXX: maybe we should call SSL_CTX_set_options() for some workarounds
|
// XXX: maybe we should call SSL_CTX_set_options() for some workarounds
|
||||||
|
|
||||||
ctx->ssl = SSL_new (ctx->ssl_ctx);
|
ctx->ssl = SSL_new (ctx->ssl_ctx);
|
||||||
|
Loading…
Reference in New Issue
Block a user