1
0
Fork 0
mirror of git://git.psyced.org/git/psyclpc synced 2024-08-15 03:20:16 +00:00

tls crl patch from fippo

This commit is contained in:
psyc://psyced.org/~lynX 2011-05-24 16:29:39 +02:00
parent f90051b4d6
commit 417f1703c6

View file

@ -411,6 +411,76 @@ tls_global_init (void)
goto ssl_init_err;
}
if (tls_crlfile != NULL || tls_crldirectory != NULL)
{
X509_STORE *store = X509_STORE_new();
if (store != NULL)
{
if (tls_crlfile != NULL)
{
X509_LOOKUP *lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
if (lookup != NULL)
X509_LOOKUP_load_file(lookup, tls_crlfile, X509_FILETYPE_PEM);
}
if (tls_crldirectory != NULL)
{
X509_LOOKUP *lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir());
if (lookup != NULL)
X509_LOOKUP_add_dir(lookup, tls_crldirectory, X509_FILETYPE_PEM);
}
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
SSL_CTX_set_cert_store(context, store);
if (tls_crlfile != NULL && tls_crldirectory != NULL)
{
printf("%s TLS: (OpenSSL) CRLs from '%s' and '%s'.\n"
, time_stamp(), tls_crlfile, tls_crldirectory);
debug_message("%s TLS: (OpenSSL) CRLs from '%s' and '%s'.\n"
, time_stamp(), tls_crlfile, tls_crldirectory);
}
else if (tls_crlfile != NULL)
{
printf("%s TLS: (OpenSSL) CRLs from '%s'.\n"
, time_stamp(), tls_crlfile);
debug_message("%s TLS: (OpenSSL) CRLs from '%s'.\n"
, time_stamp(), tls_crlfile);
}
else if (tls_crldirectory != NULL)
{
printf("%s TLS: (OpenSSL) CRLs from '%s'.\n"
, time_stamp(), tls_crldirectory);
debug_message("%s TLS: (OpenSSL) CRLs from '%s'.\n"
, time_stamp(), tls_crldirectory);
}
else
{
printf("%s TLS: (OpenSSL) CRL checking disabled.\n"
, time_stamp());
debug_message("%s TLS: (OpenSSL) CRL checking disabled.\n"
, time_stamp());
}
#else
printf("%s TLS: Warning: Your OpenSSL version does not support "
"Certificate revocation list checking\n"
, time_stamp());
debug_message("%s TLS: Warning: Your OpenSSL version does not "
"support Certificate revocation list checking\n"
, time_stamp());
#endif
}
else
{
printf("%s TLS: Warning: There was a problem getting the "
"storage context from OpenSSL. Certificate revocation "
"list checking is not enabled.\n"
, time_stamp());
debug_message("%s TLS: Warning: There was a problem getting the "
"storage context from OpenSSL. Certificate revocation "
"list checking is not enabled.\n"
, time_stamp());
}
}
if (!SSL_CTX_load_verify_locations(context, trustfile, trustdirectory))
{
#ifdef VERBOSE