From cc53012cfa5266fd2f0397030987e9c73f3ff732 Mon Sep 17 00:00:00 2001 From: Dmitry Podgorny Date: Sat, 1 Jul 2017 15:51:49 +0300 Subject: [PATCH] tls/openssl: enable cert verification for openssl older then 1.0.2 TODO: add flag to trust certificate even if verification fails. --- src/tls_openssl.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/src/tls_openssl.c b/src/tls_openssl.c index 12614b0..7e52c6f 100644 --- a/src/tls_openssl.c +++ b/src/tls_openssl.c @@ -101,8 +101,9 @@ tls_t *tls_new(xmpp_conn_t *conn) if (tls->ssl == NULL) goto err_free_ctx; -#if OPENSSL_VERSION_NUMBER >= 0x10002000L SSL_set_verify(tls->ssl, SSL_VERIFY_PEER, 0); +#if OPENSSL_VERSION_NUMBER >= 0x10002000L + /* Hostname verification is supported in OpenSSL 1.0.2 and newer. */ X509_VERIFY_PARAM *param = SSL_get0_param(tls->ssl); /* @@ -113,9 +114,6 @@ tls_t *tls_new(xmpp_conn_t *conn) */ X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); X509_VERIFY_PARAM_set1_host(param, conn->domain, 0); -#else - /* Hostname verification is not supported before OpenSSL 1.0.2. */ - SSL_set_verify(tls->ssl, SSL_VERIFY_NONE, 0); #endif ret = SSL_set_fd(tls->ssl, conn->sock); @@ -151,6 +149,7 @@ int tls_start(tls_t *tls) { int error; int ret; + long x509_res; /* Since we're non-blocking, loop the connect call until it succeeds or fails */ @@ -167,8 +166,12 @@ int tls_start(tls_t *tls) /* success or fatal error */ break; } - _tls_set_error(tls, error); + x509_res = SSL_get_verify_result(tls->ssl); + xmpp_debug(tls->ctx, "tls", "Certificate verification %s", + x509_res == X509_V_OK ? "passed" : "FAILED"); + + _tls_set_error(tls, error); return ret <= 0 ? 0 : 1; }