From aea800c047a2b5a2de41477ac154dfb7cd4360d2 Mon Sep 17 00:00:00 2001
From: Philipp Hancke <fippo@lectern.tobij.de>
Date: Tue, 4 May 2010 18:53:27 +0200
Subject: [PATCH] no support for SSL2 any longer. And ignore some funny flags
 on leaf certs

---
 src/pkg-tls.c | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/src/pkg-tls.c b/src/pkg-tls.c
index bddc437..9195b60 100644
--- a/src/pkg-tls.c
+++ b/src/pkg-tls.c
@@ -161,6 +161,26 @@ tls_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
         X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), buf, sizeof buf);
         printf("depth %d: %s\n", X509_STORE_CTX_get_error_depth(ctx), buf);
     }
+    if (!preverify_ok) 
+    {
+	int err;
+	int depth;
+
+	/* ignore purpose flag on leaf certs */
+	err = X509_STORE_CTX_get_error(ctx);
+	depth = X509_STORE_CTX_get_error_depth(ctx);
+	if (err == X509_V_ERR_INVALID_PURPOSE && depth == 0) 
+	{
+	    SSL *ssl;
+	    ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
+
+	    preverify_ok = 1;
+	    err = X509_V_OK;
+	    SSL_set_verify_result(ssl, X509_V_OK);
+	    X509_STORE_CTX_set_error(ctx, X509_V_OK);
+	}
+
+    }
     return MY_TRUE;
 } /* tls_verify_callback() */
 
@@ -444,7 +464,8 @@ tls_global_init (void)
     }
 
     /* Avoid small subgroup attacks */
-    SSL_CTX_set_options(context, SSL_OP_SINGLE_DH_USE);
+    /* do not do SSLv2 */
+    SSL_CTX_set_options(context, SSL_OP_SINGLE_DH_USE | SSL_OP_NO_SSLv2);
 
     /* OpenSSL successfully initialised */
     tls_available = MY_TRUE;