Kyoshiro/bip
1
0
Fork 0
forked from bip/bip
Code Pull Requests Activity

Make SSL "basic" certificate check more loose (more SSH-like).

Browse Source 
In "basic" mode, normally un trusted certificates get to be trusted if they are
manually trusted by user. This provides an SSH like private key auth mechanism.
Expired certificates were considered invalid in this mode which does not make
much sense.
This commit is contained in:
Arnaud Cornet 2007-10-29 00:38:42 +01:00
parent 6a0ced8929
commit 1e449da922
3 changed files with 19 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
NEWS
View File

@ -1,3 +1,8 @@
29-10-2007: Certificate validation change. In "basic" mode, expired
certificates are now accepted as long as they are in store (therefore trusted).
This makes the basic mode be more SSH like. Some extreme security zealots might
want to be warned.
02-09-2007: as of now log parameters go in the user {} statment. This brakes 02-09-2007: as of now log parameters go in the user {} statment. This brakes
every config and there is no backwrads compatibility as of now. every config and there is no backwrads compatibility as of now.
Lots of internal changes, expect crashes. Lots of internal changes, expect crashes.

7
bip.conf.1
View File

@ -221,8 +221,11 @@ Tells whether BIP should check the server SSL certificate and against what.
Can be \fBnone\fP for no check at all, \fBca\fP to check if the cert is signed Can be \fBnone\fP for no check at all, \fBca\fP to check if the cert is signed
by a Certificate Authority in repository, or \fBbasic\fP to check if cert by a Certificate Authority in repository, or \fBbasic\fP to check if cert
exists in repository. The repository is defined by \fBssl_check_store\fP. This exists in repository. The repository is defined by \fBssl_check_store\fP. This
allows a "ssh-like" private key generation scheme. Note that in basic mode, allows a "ssh-like" private key generation scheme. Note that in basic mode:
valid CA-signed certificates are also considered valid. .br
- expired certificates that are in the store are considered valid.
.br
- CA-signed certificates are considered valid even if not in store.
.TP .TP
\fBssl_check_store\fP (default: \fBnot set\fP) \fBssl_check_store\fP (default: \fBnot set\fP)

12
src/connection.c
View File

@ -1178,14 +1178,20 @@ static int bip_ssl_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
(err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY || (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY ||
err == X509_V_ERR_CERT_UNTRUSTED || err == X509_V_ERR_CERT_UNTRUSTED ||
err == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE || err == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE ||
err == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)) { err == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT ||
err == X509_V_ERR_CERT_HAS_EXPIRED)) {
if (X509_STORE_get_by_subject(ctx, X509_LU_X509, if (X509_STORE_get_by_subject(ctx, X509_LU_X509,
X509_get_subject_name(err_cert), &xobj) > 0 && X509_get_subject_name(err_cert), &xobj) > 0 &&
!X509_cmp(xobj.data.x509, err_cert)) { !X509_cmp(xobj.data.x509, err_cert)) {
mylog(LOG_INFO, "Basic mode; peer certificate found " if (err == X509_V_ERR_CERT_HAS_EXPIRED)
"in store, accepting it!"); mylog(LOG_INFO, "Basic mode; Accepting "
"*expired* peer certificate "
"found in store.");
else
mylog(LOG_INFO, "Basic mode; Accepting peer "
"certificate found in store.");
result = 1; result = 1;
err = X509_V_OK; err = X509_V_OK;