|
|
|
@ -39,8 +39,11 @@
|
|
|
|
|
#ifdef HAVE_LIBSSL |
|
|
|
|
# include <openssl/ssl.h> |
|
|
|
|
# include <openssl/err.h> |
|
|
|
|
# include <openssl/hmac.h> |
|
|
|
|
# include <openssl/x509v3.h> |
|
|
|
|
# if OPENSSL_VERSION_NUMBER < 0x10100000L |
|
|
|
|
# define X509_OBJECT_get0_X509(o) ((o)->data.x509) |
|
|
|
|
# define X509_STORE_get0_objects(o) ((o)->objs) |
|
|
|
|
# endif |
|
|
|
|
#endif |
|
|
|
|
|
|
|
|
|
enum { |
|
|
|
@ -172,13 +175,13 @@ verify_cert_host( const server_conf_t *conf, conn_t *sock )
|
|
|
|
|
|
|
|
|
|
trusted = (STACK_OF(X509_OBJECT) *)sock->conf->trusted_certs; |
|
|
|
|
for (i = 0; i < sk_X509_OBJECT_num( trusted ); i++) { |
|
|
|
|
if (!X509_cmp( cert, sk_X509_OBJECT_value( trusted, i )->data.x509 )) |
|
|
|
|
if (!X509_cmp( cert, X509_OBJECT_get0_X509( sk_X509_OBJECT_value( trusted, i ) ) )) |
|
|
|
|
return 0; |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
err = SSL_get_verify_result( sock->ssl ); |
|
|
|
|
if (err != X509_V_OK) { |
|
|
|
|
error( "SSL error connecting %s: %s\n", sock->name, ERR_error_string( err, NULL ) ); |
|
|
|
|
error( "SSL error connecting %s: %s\n", sock->name, X509_verify_cert_error_string( err ) ); |
|
|
|
|
return -1; |
|
|
|
|
} |
|
|
|
|
|
|
|
|
@ -223,7 +226,7 @@ init_ssl_ctx( const server_conf_t *conf )
|
|
|
|
|
conf->cert_file, ERR_error_string( ERR_get_error(), 0 ) ); |
|
|
|
|
return 0; |
|
|
|
|
} |
|
|
|
|
mconf->trusted_certs = (_STACK *)sk_X509_OBJECT_dup( SSL_CTX_get_cert_store( mconf->SSLContext )->objs ); |
|
|
|
|
mconf->trusted_certs = (_STACK *)sk_X509_OBJECT_dup( X509_STORE_get0_objects( SSL_CTX_get_cert_store( mconf->SSLContext ) ) ); |
|
|
|
|
if (mconf->system_certs && !SSL_CTX_set_default_verify_paths( mconf->SSLContext )) |
|
|
|
|
warn( "Warning: Unable to load default certificate files: %s\n", |
|
|
|
|
ERR_error_string( ERR_get_error(), 0 ) ); |
|
|
|
|