1
0
forked from bip/bip

Make SSL "basic" certificate check more loose (more SSH-like).

In "basic" mode, normally un trusted certificates get to be trusted if they are
manually trusted by user. This provides an SSH like private key auth mechanism.
Expired certificates were considered invalid in this mode which does not make
much sense.
This commit is contained in:
Arnaud Cornet 2007-10-29 00:38:42 +01:00
parent 6a0ced8929
commit 1e449da922
3 changed files with 19 additions and 5 deletions

5
NEWS
View File

@ -1,3 +1,8 @@
29-10-2007: Certificate validation change. In "basic" mode, expired
certificates are now accepted as long as they are in store (therefore trusted).
This makes the basic mode be more SSH like. Some extreme security zealots might
want to be warned.
02-09-2007: as of now log parameters go in the user {} statment. This brakes
every config and there is no backwrads compatibility as of now.
Lots of internal changes, expect crashes.

View File

@ -221,8 +221,11 @@ Tells whether BIP should check the server SSL certificate and against what.
Can be \fBnone\fP for no check at all, \fBca\fP to check if the cert is signed
by a Certificate Authority in repository, or \fBbasic\fP to check if cert
exists in repository. The repository is defined by \fBssl_check_store\fP. This
allows a "ssh-like" private key generation scheme. Note that in basic mode,
valid CA-signed certificates are also considered valid.
allows a "ssh-like" private key generation scheme. Note that in basic mode:
.br
- expired certificates that are in the store are considered valid.
.br
- CA-signed certificates are considered valid even if not in store.
.TP
\fBssl_check_store\fP (default: \fBnot set\fP)

View File

@ -1178,14 +1178,20 @@ static int bip_ssl_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
(err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY ||
err == X509_V_ERR_CERT_UNTRUSTED ||
err == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE ||
err == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)) {
err == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT ||
err == X509_V_ERR_CERT_HAS_EXPIRED)) {
if (X509_STORE_get_by_subject(ctx, X509_LU_X509,
X509_get_subject_name(err_cert), &xobj) > 0 &&
!X509_cmp(xobj.data.x509, err_cert)) {
mylog(LOG_INFO, "Basic mode; peer certificate found "
"in store, accepting it!");
if (err == X509_V_ERR_CERT_HAS_EXPIRED)
mylog(LOG_INFO, "Basic mode; Accepting "
"*expired* peer certificate "
"found in store.");
else
mylog(LOG_INFO, "Basic mode; Accepting peer "
"certificate found in store.");
result = 1;
err = X509_V_OK;