summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Harris <jgh146exb@wizmail.org>2014-10-30 20:48:02 +0000
committerJeremy Harris <jgh146exb@wizmail.org>2014-10-30 20:48:02 +0000
commitc1cc0506c3069a9d93d71321f9578150662ede91 (patch)
tree34f05fd3384e3385cab2693752b7ea3265159d54
parent839a3b0d5528e557f52f47e8345e290edd86b520 (diff)
parenta3ef73105c3539e9d29c27095573f9d437752f7f (diff)
Fix cert-try-verify when denied by event action
-rw-r--r--src/src/tls-openssl.c25
1 files changed, 18 insertions, 7 deletions
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index c489ea51d..fe1b208ac 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -308,7 +308,6 @@ if (state == 0)
depth,
X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509ctx)),
txt);
- tlsp->certificate_verified = FALSE;
*calledp = TRUE;
if (!*optionalp)
{
@@ -342,9 +341,11 @@ else if (depth != 0)
{
log_write(0, LOG_MAIN, "SSL verify denied by event-action: "
"depth=%d cert=%s: %s", depth, txt, yield);
- tlsp->certificate_verified = FALSE;
*calledp = TRUE;
- return 0; /* reject */
+ if (!*optionalp)
+ return 0; /* reject */
+ DEBUG(D_tls) debug_printf("Event-action verify failure overridden "
+ "(host in tls_try_verify_hosts)\n");
}
X509_free(tlsp->peercert);
tlsp->peercert = NULL;
@@ -389,7 +390,11 @@ else
{
log_write(0, LOG_MAIN,
"SSL verify error: certificate name mismatch: \"%s\"\n", txt);
- return 0; /* reject */
+ *calledp = TRUE;
+ if (!*optionalp)
+ return 0; /* reject */
+ DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
+ "tls_try_verify_hosts)\n");
}
}
# else
@@ -397,7 +402,11 @@ else
{
log_write(0, LOG_MAIN,
"SSL verify error: certificate name mismatch: \"%s\"\n", txt);
- return 0; /* reject */
+ *calledp = TRUE;
+ if (!*optionalp)
+ return 0; /* reject */
+ DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
+ "tls_try_verify_hosts)\n");
}
# endif
#endif /*EXPERIMENTAL_CERTNAMES*/
@@ -409,9 +418,11 @@ else
{
log_write(0, LOG_MAIN, "SSL verify denied by event-action: "
"depth=0 cert=%s: %s", txt, yield);
- tlsp->certificate_verified = FALSE;
*calledp = TRUE;
- return 0; /* reject */
+ if (!*optionalp)
+ return 0; /* reject */
+ DEBUG(D_tls) debug_printf("Event-action verify failure overridden "
+ "(host in tls_try_verify_hosts)\n");
}
#endif