summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorJeremy Harris <jgh146exb@wizmail.org>2014-05-16 00:07:31 +0100
committerJeremy Harris <jgh146exb@wizmail.org>2014-05-16 18:35:37 +0100
commit93dcb1c245e78806b621bbc955b1a316f806e5a3 (patch)
tree450d2837c3cdf84082f2c62754a6f6080a05a6be /src
parent25ba25448b55c2fd5ea9b1aeed82e02d59816a07 (diff)
Tidy certificate verification logic under OpenSSL
Diffstat (limited to 'src')
-rw-r--r--src/src/tls-openssl.c21
1 files changed, 6 insertions, 15 deletions
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index db2544c03..f6ded3c56 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -284,12 +284,11 @@ if (state == 0)
}
DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
"tls_try_verify_hosts)\n");
- return 1; /* accept */
}
-if (x509ctx->error_depth != 0)
+else if (x509ctx->error_depth != 0)
{
- DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d cert=%s\n",
+ DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d SN=%s\n",
x509ctx->error_depth, txt);
#ifdef EXPERIMENTAL_OCSP
if (tlsp == &tls_out && client_static_cbinfo->u_ocsp.client.verify_store)
@@ -305,22 +304,14 @@ if (x509ctx->error_depth != 0)
}
else
{
- DEBUG(D_tls) debug_printf("SSL%s peer: %s\n",
- *calledp ? "" : " authenticated", txt);
tlsp->peerdn = txt;
tlsp->peercert = X509_dup(x509ctx->current_cert);
+ DEBUG(D_tls) debug_printf("SSL%s verify ok: depth=0 SN=%s\n",
+ *calledp ? "" : " authenticated", txt);
+ if (!*calledp) tlsp->certificate_verified = TRUE;
+ *calledp = TRUE;
}
-/*XXX JGH: this looks bogus - we set "verified" first time through, which
-will be for the root CS cert (calls work down the chain). Why should it
-not be on the last call, where we're setting peerdn?
-
-To test: set up a chain anchored by a good root-CA but with a bad server cert.
-Does certificate_verified get set?
-*/
-if (!*calledp) tlsp->certificate_verified = TRUE;
-*calledp = TRUE;
-
return 1; /* accept */
}