1
0
forked from bip/bip

allow for certificate store to be unspecified in CA mode

In many cases, using OpenSSL's default certificate store is fine
and even preferred. If your OpenSSL provider (e.g. your
distribution) is competent, they will manage this database
better than you likely will. With this change, bip will
attempt to use the default certificate store if you set
CA mode but do not specify a certificate store location.

This could be refined to test after enabling the default paths
whether the certificate store is empty, and error/warn if
so.
This commit is contained in:
Adam Williamson 2014-09-19 18:04:53 -07:00 committed by Pierre-Louis Bonicoli
parent 89295ca4b2
commit 88242715f4
4 changed files with 30 additions and 7 deletions

View File

@ -254,8 +254,10 @@ This repository is browsed by BIP when a SSL certificate or CA check is needed.
In ssl_check_mode \fBbasic\fP it must be a file, to which certificates you
choose to trust will be appended. In ssl_check_mode \fBca\fP it may be a
single file containing one or more trusted certificates concatenated together
between BEGIN CERTIFICATE and END CERTIFICATE lines, or a directory containing
individual certificates in PEM format which has been processed by \fBc_rehash\fP.
between BEGIN CERTIFICATE and END CERTIFICATE lines, a directory containing
individual certificates in PEM format which has been processed by \fBc_rehash\fP,
or unset, in which case bip will attempt to use the default certificate store of
the OpenSSL it is built against.
.TP
\fBssl_client_certfile\fP (default: \fBnot set\fP)

View File

@ -126,6 +126,8 @@ user {
# (certificates, CRLs...) with .pem extension and run `c_rehash .' in it
# - a certificate bundle file containing one or more certificates in PEM
# format, enclosed in BEGIN CERTIFICATE / END CERTIFICATE lines
# - unspecified: in this case, bip will attempt to use the default
# certificate store of the OpenSSL it is built against
ssl_check_store = "/home/bip4ever/.bip/trustedcerts.txt";
# Some networks (OFTC at least) allow you to authenticate to nickserv

View File

@ -1540,9 +1540,15 @@ noroom:
bip_notify(ic, "%s", buf);
#ifdef HAVE_LIBSSL
bip_notify(ic, "SSL check mode '%s', stored into '%s'",
checkmode2text(u->ssl_check_mode),
STRORNULL(u->ssl_check_store));
if (u->ssl_check_store) {
bip_notify(ic, "SSL check mode '%s', stored into '%s'",
checkmode2text(u->ssl_check_mode),
u->ssl_check_store);
}
else {
bip_notify(ic, "SSL check mode '%s', default or no certificate store",
checkmode2text(u->ssl_check_mode));
}
if (u->ssl_client_certfile)
bip_notify(ic, "SSL client certificate stored into '%s'",
u->ssl_client_certfile);

View File

@ -1470,6 +1470,17 @@ static connection_t *_connection_new_SSL(char *dsthostname, char *dstport,
}
break;
case SSL_CHECK_CA:
if (!check_store) {
if (SSL_CTX_set_default_verify_paths(conn->ssl_ctx_h)) {
mylog(LOG_INFO, "No SSL certificate check store configured. "
"Default store will be used.");
break;
} else {
mylog(LOG_ERROR, "No SSL certificate check store configured "
"and cannot use default store!");
return conn;
}
}
// Check if check_store is a file or directory
if (stat(check_store, &st_buf) == 0) {
if (st_buf.st_mode & S_IFDIR) {
@ -1490,10 +1501,12 @@ static connection_t *_connection_new_SSL(char *dsthostname, char *dstport,
}
break;
}
mylog(LOG_ERROR, "Check store is neither a file nor a directory.");
mylog(LOG_ERROR, "Specified SSL certificate check store is neither "
"a file nor a directory.");
return conn;
}
mylog(LOG_ERROR, "Can't open check store! Make sure path is correct.");
mylog(LOG_ERROR, "Can't open SSL certificate check store! Check path "
"and permissions.");
return conn;
}