mirror of
https://github.com/osmarks/ngircd.git
synced 2024-10-27 20:36:18 +00:00
S2S-TLS/OpenSSL: Fix handling of certificate information for incoming connections
Show proper certificate information for incoming connections, too, and not "peer did not present a certificate", regardless if the client sent a certificate or not. And free the client certificate structure "peer_cert" on incoming connections as well!
This commit is contained in:
parent
08647ab1e7
commit
679505aab9
@ -935,22 +935,36 @@ ConnSSL_LogCertInfo( CONNECTION * c, bool connect)
|
|||||||
Log(LOG_INFO, "Connection %d: initialized %s using cipher %s, %s.",
|
Log(LOG_INFO, "Connection %d: initialized %s using cipher %s, %s.",
|
||||||
c->sock, SSL_get_version(ssl), SSL_get_cipher(ssl), comp_alg);
|
c->sock, SSL_get_version(ssl), SSL_get_cipher(ssl), comp_alg);
|
||||||
peer_cert = SSL_get_peer_certificate(ssl);
|
peer_cert = SSL_get_peer_certificate(ssl);
|
||||||
if (peer_cert && connect) {
|
if (peer_cert) {
|
||||||
cert_seen = true;
|
cert_seen = true;
|
||||||
/* Client: Check server certificate */
|
|
||||||
int err = SSL_get_verify_result(ssl);
|
if (connect) {
|
||||||
if (err == X509_V_OK) {
|
/* Outgoing connection. Verify the remote server! */
|
||||||
const char *peername = SSL_get0_peername(ssl);
|
int err = SSL_get_verify_result(ssl);
|
||||||
if (peername != NULL)
|
if (err == X509_V_OK) {
|
||||||
cert_ok = true;
|
const char *peername = SSL_get0_peername(ssl);
|
||||||
LogDebug("X509_V_OK, peername = '%s'", peername);
|
if (peername != NULL)
|
||||||
} else
|
cert_ok = true;
|
||||||
Log(LOG_ERR, "Certificate validation failed: %s",
|
LogDebug("X509_V_OK, peername = '%s'", peername);
|
||||||
X509_verify_cert_error_string(err));
|
} else
|
||||||
snprintf(msg, sizeof(msg), "%svalid peer certificate",
|
Log(LOG_WARNING, "Certificate validation failed: %s!",
|
||||||
cert_ok ? "" : "in");
|
X509_verify_cert_error_string(err));
|
||||||
LogOpenSSL_CertInfo(cert_ok ? LOG_DEBUG : LOG_ERR, peer_cert,
|
|
||||||
msg);
|
snprintf(msg, sizeof(msg), "Got %svalid server certificate",
|
||||||
|
cert_ok ? "" : "in");
|
||||||
|
LogOpenSSL_CertInfo(LOG_INFO, peer_cert, msg);
|
||||||
|
} else {
|
||||||
|
/* Incoming connection.
|
||||||
|
* Accept all certificates, don't depend on their
|
||||||
|
* validity: for example, we don't know the hostname
|
||||||
|
* to check, because we not yet even know if this is a
|
||||||
|
* server connection at all and if so, which one, so we
|
||||||
|
* don't know a host name to look for. On the other
|
||||||
|
* hand we want client certificates, for example for
|
||||||
|
* "CertFP" authentication with services ... */
|
||||||
|
LogOpenSSL_CertInfo(LOG_INFO, peer_cert,
|
||||||
|
"Got unchecked client certificate");
|
||||||
|
}
|
||||||
|
|
||||||
X509_free(peer_cert);
|
X509_free(peer_cert);
|
||||||
}
|
}
|
||||||
@ -1038,7 +1052,7 @@ done_cn_validation:
|
|||||||
if (cert_ok)
|
if (cert_ok)
|
||||||
Conn_OPTION_ADD(c, CONN_SSL_PEERCERT_OK);
|
Conn_OPTION_ADD(c, CONN_SSL_PEERCERT_OK);
|
||||||
if (!cert_seen)
|
if (!cert_seen)
|
||||||
Log(LOG_INFO, "Peer did not present a certificate");
|
Log(LOG_INFO, "Peer did not present a certificate.");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user