diff options
author | Jeremy Harris <jgh146exb@wizmail.org> | 2014-10-30 20:48:02 +0000 |
---|---|---|
committer | Jeremy Harris <jgh146exb@wizmail.org> | 2014-10-30 20:48:02 +0000 |
commit | c1cc0506c3069a9d93d71321f9578150662ede91 (patch) | |
tree | 34f05fd3384e3385cab2693752b7ea3265159d54 /src | |
parent | 839a3b0d5528e557f52f47e8345e290edd86b520 (diff) | |
parent | a3ef73105c3539e9d29c27095573f9d437752f7f (diff) |
Fix cert-try-verify when denied by event action
Diffstat (limited to 'src')
-rw-r--r-- | src/src/tls-openssl.c | 25 |
1 files changed, 18 insertions, 7 deletions
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index c489ea51d..fe1b208ac 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -308,7 +308,6 @@ if (state == 0) depth, X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509ctx)), txt); - tlsp->certificate_verified = FALSE; *calledp = TRUE; if (!*optionalp) { @@ -342,9 +341,11 @@ else if (depth != 0) { log_write(0, LOG_MAIN, "SSL verify denied by event-action: " "depth=%d cert=%s: %s", depth, txt, yield); - tlsp->certificate_verified = FALSE; *calledp = TRUE; - return 0; /* reject */ + if (!*optionalp) + return 0; /* reject */ + DEBUG(D_tls) debug_printf("Event-action verify failure overridden " + "(host in tls_try_verify_hosts)\n"); } X509_free(tlsp->peercert); tlsp->peercert = NULL; @@ -389,7 +390,11 @@ else { log_write(0, LOG_MAIN, "SSL verify error: certificate name mismatch: \"%s\"\n", txt); - return 0; /* reject */ + *calledp = TRUE; + if (!*optionalp) + return 0; /* reject */ + DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in " + "tls_try_verify_hosts)\n"); } } # else @@ -397,7 +402,11 @@ else { log_write(0, LOG_MAIN, "SSL verify error: certificate name mismatch: \"%s\"\n", txt); - return 0; /* reject */ + *calledp = TRUE; + if (!*optionalp) + return 0; /* reject */ + DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in " + "tls_try_verify_hosts)\n"); } # endif #endif /*EXPERIMENTAL_CERTNAMES*/ @@ -409,9 +418,11 @@ else { log_write(0, LOG_MAIN, "SSL verify denied by event-action: " "depth=0 cert=%s: %s", txt, yield); - tlsp->certificate_verified = FALSE; *calledp = TRUE; - return 0; /* reject */ + if (!*optionalp) + return 0; /* reject */ + DEBUG(D_tls) debug_printf("Event-action verify failure overridden " + "(host in tls_try_verify_hosts)\n"); } #endif |