diff options
author | Jeremy Harris <jgh146exb@wizmail.org> | 2014-05-16 00:07:31 +0100 |
---|---|---|
committer | Jeremy Harris <jgh146exb@wizmail.org> | 2014-05-16 18:35:37 +0100 |
commit | 93dcb1c245e78806b621bbc955b1a316f806e5a3 (patch) | |
tree | 450d2837c3cdf84082f2c62754a6f6080a05a6be /src | |
parent | 25ba25448b55c2fd5ea9b1aeed82e02d59816a07 (diff) |
Tidy certificate verification logic under OpenSSL
Diffstat (limited to 'src')
-rw-r--r-- | src/src/tls-openssl.c | 21 |
1 files changed, 6 insertions, 15 deletions
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index db2544c03..f6ded3c56 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -284,12 +284,11 @@ if (state == 0) } DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in " "tls_try_verify_hosts)\n"); - return 1; /* accept */ } -if (x509ctx->error_depth != 0) +else if (x509ctx->error_depth != 0) { - DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d cert=%s\n", + DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d SN=%s\n", x509ctx->error_depth, txt); #ifdef EXPERIMENTAL_OCSP if (tlsp == &tls_out && client_static_cbinfo->u_ocsp.client.verify_store) @@ -305,22 +304,14 @@ if (x509ctx->error_depth != 0) } else { - DEBUG(D_tls) debug_printf("SSL%s peer: %s\n", - *calledp ? "" : " authenticated", txt); tlsp->peerdn = txt; tlsp->peercert = X509_dup(x509ctx->current_cert); + DEBUG(D_tls) debug_printf("SSL%s verify ok: depth=0 SN=%s\n", + *calledp ? "" : " authenticated", txt); + if (!*calledp) tlsp->certificate_verified = TRUE; + *calledp = TRUE; } -/*XXX JGH: this looks bogus - we set "verified" first time through, which -will be for the root CS cert (calls work down the chain). Why should it -not be on the last call, where we're setting peerdn? - -To test: set up a chain anchored by a good root-CA but with a bad server cert. -Does certificate_verified get set? -*/ -if (!*calledp) tlsp->certificate_verified = TRUE; -*calledp = TRUE; - return 1; /* accept */ } |