mirror of
git://git.psyced.org/git/psyclpc
synced 2024-08-15 03:20:16 +00:00
no support for SSL2 any longer. And ignore some funny flags on leaf
certs
This commit is contained in:
parent
4b7c49e942
commit
aea800c047
1 changed files with 22 additions and 1 deletions
|
@ -161,6 +161,26 @@ tls_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
|
|||
X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), buf, sizeof buf);
|
||||
printf("depth %d: %s\n", X509_STORE_CTX_get_error_depth(ctx), buf);
|
||||
}
|
||||
if (!preverify_ok)
|
||||
{
|
||||
int err;
|
||||
int depth;
|
||||
|
||||
/* ignore purpose flag on leaf certs */
|
||||
err = X509_STORE_CTX_get_error(ctx);
|
||||
depth = X509_STORE_CTX_get_error_depth(ctx);
|
||||
if (err == X509_V_ERR_INVALID_PURPOSE && depth == 0)
|
||||
{
|
||||
SSL *ssl;
|
||||
ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
|
||||
|
||||
preverify_ok = 1;
|
||||
err = X509_V_OK;
|
||||
SSL_set_verify_result(ssl, X509_V_OK);
|
||||
X509_STORE_CTX_set_error(ctx, X509_V_OK);
|
||||
}
|
||||
|
||||
}
|
||||
return MY_TRUE;
|
||||
} /* tls_verify_callback() */
|
||||
|
||||
|
@ -444,7 +464,8 @@ tls_global_init (void)
|
|||
}
|
||||
|
||||
/* Avoid small subgroup attacks */
|
||||
SSL_CTX_set_options(context, SSL_OP_SINGLE_DH_USE);
|
||||
/* do not do SSLv2 */
|
||||
SSL_CTX_set_options(context, SSL_OP_SINGLE_DH_USE | SSL_OP_NO_SSLv2);
|
||||
|
||||
/* OpenSSL successfully initialised */
|
||||
tls_available = MY_TRUE;
|
||||
|
|
Loading…
Reference in a new issue