diff options
author | Jeremy Harris <jgh146exb@wizmail.org> | 2014-10-26 22:14:03 +0000 |
---|---|---|
committer | Jeremy Harris <jgh146exb@wizmail.org> | 2014-10-26 22:14:03 +0000 |
commit | a3ef73105c3539e9d29c27095573f9d437752f7f (patch) | |
tree | 6552a761939a77e13cfdf597137a4b514dc96990 | |
parent | 4650b314ad07f4813d2cb826546d9048a4555c83 (diff) |
Fix cert-try-verify when denied by event action
-rw-r--r-- | src/src/tls-openssl.c | 25 |
1 files changed, 18 insertions, 7 deletions
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index 25d523274..a2e1136d0 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -305,7 +305,6 @@ if (state == 0) depth, X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509ctx)), txt); - tlsp->certificate_verified = FALSE; *calledp = TRUE; if (!*optionalp) { @@ -339,9 +338,11 @@ else if (depth != 0) { log_write(0, LOG_MAIN, "SSL verify denied by event-action: " "depth=%d cert=%s", depth, txt); - tlsp->certificate_verified = FALSE; *calledp = TRUE; - return 0; /* reject */ + if (!*optionalp) + return 0; /* reject */ + DEBUG(D_tls) debug_printf("Event-action verify failure overridden " + "(host in tls_try_verify_hosts)\n"); } X509_free(tlsp->peercert); tlsp->peercert = NULL; @@ -386,7 +387,11 @@ else { log_write(0, LOG_MAIN, "SSL verify error: certificate name mismatch: \"%s\"\n", txt); - return 0; /* reject */ + *calledp = TRUE; + if (!*optionalp) + return 0; /* reject */ + DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in " + "tls_try_verify_hosts)\n"); } } # else @@ -394,7 +399,11 @@ else { log_write(0, LOG_MAIN, "SSL verify error: certificate name mismatch: \"%s\"\n", txt); - return 0; /* reject */ + *calledp = TRUE; + if (!*optionalp) + return 0; /* reject */ + DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in " + "tls_try_verify_hosts)\n"); } # endif #endif /*EXPERIMENTAL_CERTNAMES*/ @@ -406,9 +415,11 @@ else { log_write(0, LOG_MAIN, "SSL verify denied by event-action: " "depth=0 cert=%s", txt); - tlsp->certificate_verified = FALSE; *calledp = TRUE; - return 0; /* reject */ + if (!*optionalp) + return 0; /* reject */ + DEBUG(D_tls) debug_printf("Event-action verify failure overridden " + "(host in tls_try_verify_hosts)\n"); } #endif |