|
 |
7bd30fb |
From a54b6835493767c348b33381040506aee4629d19 Mon Sep 17 00:00:00 2001
|
|
|
7bd30fb |
From: Adam Williamson <awilliam@redhat.com>
|
|
|
7bd30fb |
Date: Fri, 19 Sep 2014 18:04:53 -0700
|
|
|
7bd30fb |
Subject: [PATCH 2/2] allow for certificate store to be unspecified in CA mode
|
|
|
7bd30fb |
|
|
|
7bd30fb |
In many cases, using OpenSSL's default certificate store is fine
|
|
|
7bd30fb |
and even preferred. If your OpenSSL provider (e.g. your
|
|
|
7bd30fb |
distribution) is competent, they will manage this database
|
|
|
7bd30fb |
better than you likely will.
|
|
|
7bd30fb |
|
|
|
7bd30fb |
This could be refined to test in the NULL case whether the
|
|
|
7bd30fb |
certificate store is empty, and fail out if so.
|
|
|
7bd30fb |
---
|
|
|
7bd30fb |
src/bip.c | 12 +++++++++---
|
|
|
7bd30fb |
src/connection.c | 17 +++++++++++++++--
|
|
|
7bd30fb |
2 files changed, 24 insertions(+), 5 deletions(-)
|
|
|
7bd30fb |
|
|
|
7bd30fb |
diff --git a/src/bip.c b/src/bip.c
|
|
|
7bd30fb |
index 37e72d9..f025c21 100644
|
|
|
7bd30fb |
--- a/src/bip.c
|
|
|
7bd30fb |
+++ b/src/bip.c
|
|
|
7bd30fb |
@@ -1540,9 +1540,15 @@ noroom:
|
|
|
7bd30fb |
bip_notify(ic, "%s", buf);
|
|
|
7bd30fb |
|
|
|
7bd30fb |
#ifdef HAVE_LIBSSL
|
|
|
7bd30fb |
- bip_notify(ic, "SSL check mode '%s', stored into '%s'",
|
|
|
7bd30fb |
- checkmode2text(u->ssl_check_mode),
|
|
|
7bd30fb |
- STRORNULL(u->ssl_check_store));
|
|
|
7bd30fb |
+ if (u->ssl_check_store) {
|
|
|
7bd30fb |
+ bip_notify(ic, "SSL check mode '%s', stored into '%s'",
|
|
|
7bd30fb |
+ checkmode2text(u->ssl_check_mode),
|
|
|
7bd30fb |
+ u->ssl_check_store);
|
|
|
7bd30fb |
+ }
|
|
|
7bd30fb |
+ else {
|
|
|
7bd30fb |
+ bip_notify(ic, "SSL check mode '%s', default or no certificate store",
|
|
|
7bd30fb |
+ checkmode2text(u->ssl_check_mode));
|
|
|
7bd30fb |
+ }
|
|
|
7bd30fb |
if (u->ssl_client_certfile)
|
|
|
7bd30fb |
bip_notify(ic, "SSL client certificate stored into '%s'",
|
|
|
7bd30fb |
u->ssl_client_certfile);
|
|
|
7bd30fb |
diff --git a/src/connection.c b/src/connection.c
|
|
|
7bd30fb |
index b534cd0..ab1516e 100644
|
|
|
7bd30fb |
--- a/src/connection.c
|
|
|
7bd30fb |
+++ b/src/connection.c
|
|
|
7bd30fb |
@@ -1470,6 +1470,17 @@ static connection_t *_connection_new_SSL(char *dsthostname, char *dstport,
|
|
|
7bd30fb |
}
|
|
|
7bd30fb |
break;
|
|
|
7bd30fb |
case SSL_CHECK_CA:
|
|
|
7bd30fb |
+ if (!check_store) {
|
|
|
7bd30fb |
+ if (SSL_CTX_set_default_verify_paths(conn->ssl_ctx_h)) {
|
|
|
7bd30fb |
+ mylog(LOG_INFO, "No SSL certificate check store configured. "
|
|
|
7bd30fb |
+ "Default store will be used.");
|
|
|
7bd30fb |
+ break;
|
|
|
7bd30fb |
+ } else {
|
|
|
7bd30fb |
+ mylog(LOG_ERROR, "No SSL certificate check store configured "
|
|
|
7bd30fb |
+ "and cannot use default store!");
|
|
|
7bd30fb |
+ return conn;
|
|
|
7bd30fb |
+ }
|
|
|
7bd30fb |
+ }
|
|
|
7bd30fb |
// Check if check_store is a file or directory
|
|
|
7bd30fb |
if (stat(check_store, &st_buf) == 0) {
|
|
|
7bd30fb |
if (st_buf.st_mode & S_IFDIR) {
|
|
|
7bd30fb |
@@ -1490,10 +1501,12 @@ static connection_t *_connection_new_SSL(char *dsthostname, char *dstport,
|
|
|
7bd30fb |
}
|
|
|
7bd30fb |
break;
|
|
|
7bd30fb |
}
|
|
|
7bd30fb |
- mylog(LOG_ERROR, "Check store is neither a file nor a directory.");
|
|
|
7bd30fb |
+ mylog(LOG_ERROR, "Specified SSL certificate check store is neither "
|
|
|
7bd30fb |
+ "a file nor a directory.");
|
|
|
7bd30fb |
return conn;
|
|
|
7bd30fb |
}
|
|
|
7bd30fb |
- mylog(LOG_ERROR, "Can't open check store! Make sure path is correct.");
|
|
|
7bd30fb |
+ mylog(LOG_ERROR, "Can't open SSL certificate check store! Check path "
|
|
|
7bd30fb |
+ "and permissions.");
|
|
|
7bd30fb |
return conn;
|
|
|
7bd30fb |
}
|
|
|
7bd30fb |
|
|
|
7bd30fb |
--
|
|
|
7bd30fb |
2.1.0
|
|
|
7bd30fb |
|