SSL basic mode, support X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN
This commit is contained in:
parent
405f8b4afc
commit
32e08c94aa
@ -1278,12 +1278,13 @@ static int bip_ssl_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
|
|||||||
|
|
||||||
/* in basic mode (mode 1), accept a leaf certificate if we can find it
|
/* in basic mode (mode 1), accept a leaf certificate if we can find it
|
||||||
* in the store */
|
* in the store */
|
||||||
if (c->ssl_check_mode == SSL_CHECK_BASIC && depth == 0 && result == 0 &&
|
if (c->ssl_check_mode == SSL_CHECK_BASIC && result == 0 &&
|
||||||
(err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY ||
|
(err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY ||
|
||||||
err == X509_V_ERR_CERT_UNTRUSTED ||
|
err == X509_V_ERR_CERT_UNTRUSTED ||
|
||||||
err == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE ||
|
err == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE ||
|
||||||
err == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT ||
|
err == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT ||
|
||||||
err == X509_V_ERR_CERT_HAS_EXPIRED)) {
|
err == X509_V_ERR_CERT_HAS_EXPIRED ||
|
||||||
|
err == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN)) {
|
||||||
|
|
||||||
if (X509_STORE_get_by_subject(ctx, X509_LU_X509,
|
if (X509_STORE_get_by_subject(ctx, X509_LU_X509,
|
||||||
X509_get_subject_name(err_cert), &xobj) > 0 &&
|
X509_get_subject_name(err_cert), &xobj) > 0 &&
|
||||||
@ -1440,7 +1441,7 @@ static connection_t *_connection_new_SSL(char *dsthostname, char *dstport,
|
|||||||
case SSL_CHECK_BASIC:
|
case SSL_CHECK_BASIC:
|
||||||
SSL_CTX_set_verify(conn->ssl_ctx_h, SSL_VERIFY_PEER,
|
SSL_CTX_set_verify(conn->ssl_ctx_h, SSL_VERIFY_PEER,
|
||||||
bip_ssl_verify_callback);
|
bip_ssl_verify_callback);
|
||||||
SSL_CTX_set_verify_depth(conn->ssl_ctx_h, 0);
|
/* SSL_CTX_set_verify_depth(conn->ssl_ctx_h, 0); */
|
||||||
break;
|
break;
|
||||||
case SSL_CHECK_CA:
|
case SSL_CHECK_CA:
|
||||||
SSL_CTX_set_verify(conn->ssl_ctx_h, SSL_VERIFY_PEER,
|
SSL_CTX_set_verify(conn->ssl_ctx_h, SSL_VERIFY_PEER,
|
||||||
|
Loading…
Reference in New Issue
Block a user