git://git.exim.org
/
exim.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
25ba254
)
Tidy certificate verification logic under OpenSSL
author
Jeremy Harris
<jgh146exb@wizmail.org>
Thu, 15 May 2014 23:07:31 +0000
(
00:07
+0100)
committer
Jeremy Harris
<jgh146exb@wizmail.org>
Fri, 16 May 2014 17:35:37 +0000
(18:35 +0100)
src/src/tls-openssl.c
patch
|
blob
|
history
diff --git
a/src/src/tls-openssl.c
b/src/src/tls-openssl.c
index db2544c037f56ffcfa1a0ebb985fbc5f57445ca9..f6ded3c56a1265226fdecea2caf3db8a8cfa3a8d 100644
(file)
--- a/
src/src/tls-openssl.c
+++ b/
src/src/tls-openssl.c
@@
-284,12
+284,11
@@
if (state == 0)
}
DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
"tls_try_verify_hosts)\n");
}
DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
"tls_try_verify_hosts)\n");
- return 1; /* accept */
}
}
-if (x509ctx->error_depth != 0)
+
else
if (x509ctx->error_depth != 0)
{
{
- DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d
cert
=%s\n",
+ DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d
SN
=%s\n",
x509ctx->error_depth, txt);
#ifdef EXPERIMENTAL_OCSP
if (tlsp == &tls_out && client_static_cbinfo->u_ocsp.client.verify_store)
x509ctx->error_depth, txt);
#ifdef EXPERIMENTAL_OCSP
if (tlsp == &tls_out && client_static_cbinfo->u_ocsp.client.verify_store)
@@
-305,22
+304,14
@@
if (x509ctx->error_depth != 0)
}
else
{
}
else
{
- DEBUG(D_tls) debug_printf("SSL%s peer: %s\n",
- *calledp ? "" : " authenticated", txt);
tlsp->peerdn = txt;
tlsp->peercert = X509_dup(x509ctx->current_cert);
tlsp->peerdn = txt;
tlsp->peercert = X509_dup(x509ctx->current_cert);
+ DEBUG(D_tls) debug_printf("SSL%s verify ok: depth=0 SN=%s\n",
+ *calledp ? "" : " authenticated", txt);
+ if (!*calledp) tlsp->certificate_verified = TRUE;
+ *calledp = TRUE;
}
}
-/*XXX JGH: this looks bogus - we set "verified" first time through, which
-will be for the root CS cert (calls work down the chain). Why should it
-not be on the last call, where we're setting peerdn?
-
-To test: set up a chain anchored by a good root-CA but with a bad server cert.
-Does certificate_verified get set?
-*/
-if (!*calledp) tlsp->certificate_verified = TRUE;
-*calledp = TRUE;
-
return 1; /* accept */
}
return 1; /* accept */
}