ZyklonB: actually do verify the server certificate

Bud still tolerate if it doesn't pass verification.
This commit is contained in:
Přemysl Eric Janouch 2015-04-10 03:14:23 +02:00
parent dc08f9d5ab
commit 7de4bf3165

View File

@ -294,6 +294,18 @@ irc_send (struct bot_context *ctx, const char *format, ...)
return result; return result;
} }
static int
irc_ssl_verify_callback (int preverify_ok, X509_STORE_CTX *x509_ctx)
{
(void) x509_ctx;
if (!preverify_ok)
print_warning ("TLS certificate verification failed");
// We don't care; some encryption is always better than no encryption
return 1;
}
static bool static bool
irc_initialize_ssl (struct bot_context *ctx, struct error **e) irc_initialize_ssl (struct bot_context *ctx, struct error **e)
{ {
@ -301,8 +313,9 @@ irc_initialize_ssl (struct bot_context *ctx, struct error **e)
ctx->ssl_ctx = SSL_CTX_new (SSLv23_client_method ()); ctx->ssl_ctx = SSL_CTX_new (SSLv23_client_method ());
if (!ctx->ssl_ctx) if (!ctx->ssl_ctx)
goto error_ssl_1; goto error_ssl_1;
// We don't care; some encryption is always better than no encryption if (!SSL_CTX_set_default_verify_paths (ctx->ssl_ctx))
SSL_CTX_set_verify (ctx->ssl_ctx, SSL_VERIFY_NONE, NULL); print_warning ("couldn't load TLS CA certificates");
SSL_CTX_set_verify (ctx->ssl_ctx, SSL_VERIFY_PEER, irc_ssl_verify_callback);
// XXX: maybe we should call SSL_CTX_set_options() for some workarounds // XXX: maybe we should call SSL_CTX_set_options() for some workarounds
ctx->ssl = SSL_new (ctx->ssl_ctx); ctx->ssl = SSL_new (ctx->ssl_ctx);