mirror of
git://git.psyced.org/git/psyclpc
synced 2024-08-15 03:20:16 +00:00
no support for SSL2 any longer. And ignore some funny flags on leaf
certs
This commit is contained in:
parent
4b7c49e942
commit
aea800c047
1 changed files with 22 additions and 1 deletions
|
@ -161,6 +161,26 @@ tls_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
|
||||||
X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), buf, sizeof buf);
|
X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), buf, sizeof buf);
|
||||||
printf("depth %d: %s\n", X509_STORE_CTX_get_error_depth(ctx), buf);
|
printf("depth %d: %s\n", X509_STORE_CTX_get_error_depth(ctx), buf);
|
||||||
}
|
}
|
||||||
|
if (!preverify_ok)
|
||||||
|
{
|
||||||
|
int err;
|
||||||
|
int depth;
|
||||||
|
|
||||||
|
/* ignore purpose flag on leaf certs */
|
||||||
|
err = X509_STORE_CTX_get_error(ctx);
|
||||||
|
depth = X509_STORE_CTX_get_error_depth(ctx);
|
||||||
|
if (err == X509_V_ERR_INVALID_PURPOSE && depth == 0)
|
||||||
|
{
|
||||||
|
SSL *ssl;
|
||||||
|
ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
|
||||||
|
|
||||||
|
preverify_ok = 1;
|
||||||
|
err = X509_V_OK;
|
||||||
|
SSL_set_verify_result(ssl, X509_V_OK);
|
||||||
|
X509_STORE_CTX_set_error(ctx, X509_V_OK);
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
return MY_TRUE;
|
return MY_TRUE;
|
||||||
} /* tls_verify_callback() */
|
} /* tls_verify_callback() */
|
||||||
|
|
||||||
|
@ -444,7 +464,8 @@ tls_global_init (void)
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Avoid small subgroup attacks */
|
/* Avoid small subgroup attacks */
|
||||||
SSL_CTX_set_options(context, SSL_OP_SINGLE_DH_USE);
|
/* do not do SSLv2 */
|
||||||
|
SSL_CTX_set_options(context, SSL_OP_SINGLE_DH_USE | SSL_OP_NO_SSLv2);
|
||||||
|
|
||||||
/* OpenSSL successfully initialised */
|
/* OpenSSL successfully initialised */
|
||||||
tls_available = MY_TRUE;
|
tls_available = MY_TRUE;
|
||||||
|
|
Loading…
Reference in a new issue