From 2bc941d3ffff370172564d27d446b968ecf5a421 Mon Sep 17 00:00:00 2001 From: Marcel Poul Date: Tue, 31 Jan 2012 23:07:43 +0000 Subject: [PATCH] verify peer certificate --- emi.canl.canl-c/src/canl_ssl.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/emi.canl.canl-c/src/canl_ssl.c b/emi.canl.canl-c/src/canl_ssl.c index bbf9c53..c239df6 100644 --- a/emi.canl.canl-c/src/canl_ssl.c +++ b/emi.canl.canl-c/src/canl_ssl.c @@ -52,6 +52,8 @@ ssl_initialize(glb_ctx *cc, void **ctx) "No cipher to use"); goto end; } + /* XXX: should be only defined on the SSL level: */ + SSL_CTX_set_cert_verify_callback(ssl_ctx, proxy_app_verify_callback, 0); //SSL_CTX_set_purpose(ssl_ctx, X509_PURPOSE_ANY); //SSL_CTX_set_mode(ssl_ctx, SSL_MODE_AUTO_RETRY); @@ -108,9 +110,10 @@ ssl_server_init(glb_ctx *cc, void *mech_ctx, void **ctx) return set_error(cc, ERR_get_error(), SSL_ERROR, "Failed to create SSL connection context"); - /* XXX: should be only defined on the SSL level: */ - SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_NONE, proxy_verify_callback); - SSL_CTX_set_cert_verify_callback(ssl_ctx, proxy_app_verify_callback, 0); + /* TODO !!!!!!!!!! + * if SSL_VERIFY_NONE, then we cannot extract peer cert. of ssl + * if SSL_VERIFY_PEER, then client cert verification is mandatory!!!*/ + SSL_set_verify(ssl, SSL_VERIFY_PEER, proxy_verify_callback); // SSL_use_certificate_file(ssl, "/etc/grid-security/hostcert.pem", SSL_FILETYPE_PEM); // SSL_use_PrivateKey_file(ssl, "/etc/grid-security/hostkey.pem", SSL_FILETYPE_PEM); @@ -202,6 +205,8 @@ ssl_client_init(glb_ctx *cc, void *mech_ctx, void **ctx) free(user_proxy_fn); user_proxy_fn = NULL; + SSL_set_verify(ssl, SSL_VERIFY_PEER, proxy_verify_callback); + if (cc->cert_key) { if (cc->cert_key->key) { err = SSL_use_PrivateKey(ssl, cc->cert_key->key); -- 1.8.2.3