/[hydra]/hydra/src/ssl.c

Diff of /hydra/src/ssl.c

Parent Directory | Revision Log | View Patch Patch

-revision 1.7 by nmav,
Sat Oct  5 08:32:52 2002 UTC
+revision 1.8 by nmav,
Sat Oct  5 09:39:36 2002 UTC
 Line 44 
 extern char* ssl_comp;
  extern char* ssl_protocol;
  extern int ssl_verify; /* 0 no verify, 1 request certificate, and validate
                          * if sent, 2 require certificate and validate.
+                         * 3 is request one, and try to verify it. Does not fail in
+                         * any case.
                          */
  static void wrap_db_init(void);
-Line 200 
 gnutls_session initialize_ssl_session(vo
+Line 202 
 gnutls_session initialize_ssl_session(vo
      gnutls_handshake_set_private_extensions( state, 1);
-     if (ssl_verify == 1) {
+     if (ssl_verify == 1 || ssl_verify == 3) {
         gnutls_certificate_server_set_request( state, GNUTLS_CERT_REQUEST);
      } else if (ssl_verify == 2) {
         gnutls_certificate_server_set_request( state, GNUTLS_CERT_REQUIRE);
-Line 552 
 int finish_handshake(request * current)
+Line 554 
 int finish_handshake(request * current)
          }
      } else if (retval == 0) {
-         if (ssl_verify == 2 || ssl_verify == 1) {
+         if (ssl_verify >= 1) {
             int verify;
             char name[128];
             const gnutls_datum *cert_list;
-Line 560 
 int finish_handshake(request * current)
+Line 562 
 int finish_handshake(request * current)
             verify = gnutls_certificate_verify_peers( current->ssl_state);
+            current->certificate_verified = "NONE";
-            if (verify != GNUTLS_E_NO_CERTIFICATE_FOUND || ssl_verify != 1) {
+            if (verify != GNUTLS_E_NO_CERTIFICATE_FOUND || ssl_verify == 2) {
                cert_list =
                  gnutls_certificate_get_peers(current->ssl_state, &cert_list_size);
                if (cert_list)
-                  generate_x509_dn( name, sizeof(name), &cert_list[0]);
+                  generate_x509_dn( name, sizeof(name), &cert_list[0], 0);
                log_error_time();
                if (verify & GNUTLS_CERT_NOT_TRUSTED || verify & GNUTLS_CERT_INVALID ||
                   verify & GNUTLS_CERT_CORRUPTED || verify & GNUTLS_CERT_REVOKED)
                {
-                  fprintf( stderr, "tls: X.509 Certificate by '%s' is NOT trusted. Rejecting connection.\n", name);
+                  current->certificate_verified = "FAILED";
-                  current->alert_to_send = GNUTLS_A_BAD_CERTIFICATE;
+                  fprintf( stderr, "tls: X.509 Certificate by '%s' is NOT trusted.\n", name);
-                  current->status = SEND_ALERT;
-                  return 1;
+                  if (ssl_verify == 2 || ssl_verify == 1) {
+                      current->alert_to_send = GNUTLS_A_BAD_CERTIFICATE;
+                      current->status = SEND_ALERT;
+                      return 1;
+                  }
+               } else {
+                  current->certificate_verified = "SUCCESS";
+                  fprintf( stderr, "tls: X.509 Certificate by '%s' was verified.\n", name);
                }
-               fprintf( stderr, "tls: X.509 Certificate by '%s' was verified.\n", name);
             }
          }

 Legend:



Removed from v.1.7
 


changed lines


 
Added in v.1.8
 Legend:



Removed from v.1.7
 


changed lines


 
Added in v.1.8
-Removed from v.1.7
+Added in v.1.8

webmaster@linux.gr	ViewVC Help
Powered by ViewVC 1.1.26