allow for certificate store to be unspecified in CA mode

In many cases, using OpenSSL's default certificate store is fine and even preferred. If your OpenSSL provider (e.g. your distribution) is competent, they will manage this database better than you likely will. With this change, bip will attempt to use the default certificate store if you set CA mode but do not specify a certificate store location. This could be refined to test after enabling the default paths whether the certificate store is empty, and error/warn if so.
2014-09-19 18:04:53 -07:00 · 2014-09-19 18:04:53 -07:00 · 88242715f4
commit 88242715f4
parent 89295ca4b2
4 changed files with 30 additions and 7 deletions
--- a/bip.conf.5
+++ b/bip.conf.5
@ -254,8 +254,10 @@ This repository is browsed by BIP when a SSL certificate or CA check is needed.
 In ssl_check_mode \fBbasic\fP it must be a file, to which certificates you
 choose to trust will be appended. In ssl_check_mode \fBca\fP it may be a
 single file containing one or more trusted certificates concatenated together
-between BEGIN CERTIFICATE and END CERTIFICATE lines, or a directory containing
-individual certificates in PEM format which has been processed by \fBc_rehash\fP.
+between BEGIN CERTIFICATE and END CERTIFICATE lines, a directory containing
+individual certificates in PEM format which has been processed by \fBc_rehash\fP,
+or unset, in which case bip will attempt to use the default certificate store of
+the OpenSSL it is built against.

 .TP
 \fBssl_client_certfile\fP (default: \fBnot set\fP)
--- a/samples/bip.conf
+++ b/samples/bip.conf
@ -126,6 +126,8 @@ user {
 	# (certificates, CRLs...) with .pem extension and run `c_rehash .' in it
 	# - a certificate bundle file containing one or more certificates in PEM
 	# format, enclosed in BEGIN CERTIFICATE / END CERTIFICATE lines
+	# - unspecified: in this case, bip will attempt to use the default
+	# certificate store of the OpenSSL it is built against
 	ssl_check_store = "/home/bip4ever/.bip/trustedcerts.txt";

 	# Some networks (OFTC at least) allow you to authenticate to nickserv
--- a/src/bip.c
+++ b/src/bip.c
@ -1540,9 +1540,15 @@ noroom:
 	bip_notify(ic, "%s", buf);

 #ifdef HAVE_LIBSSL
-	bip_notify(ic, "SSL check mode '%s', stored into '%s'",
-		   checkmode2text(u->ssl_check_mode),
-		   STRORNULL(u->ssl_check_store));
+	if (u->ssl_check_store) {
+		bip_notify(ic, "SSL check mode '%s', stored into '%s'",
+				checkmode2text(u->ssl_check_mode),
+				u->ssl_check_store);
+	}
+	else {
+		bip_notify(ic, "SSL check mode '%s', default or no certificate store",
+				checkmode2text(u->ssl_check_mode));
+	}
 	if (u->ssl_client_certfile)
 		bip_notify(ic, "SSL client certificate stored into '%s'",
 				u->ssl_client_certfile);
--- a/src/connection.c
+++ b/src/connection.c
@ -1470,6 +1470,17 @@ static connection_t *_connection_new_SSL(char *dsthostname, char *dstport,
 		}
 		break;
 	case SSL_CHECK_CA:
+		if (!check_store) {
+			if (SSL_CTX_set_default_verify_paths(conn->ssl_ctx_h)) {
+				mylog(LOG_INFO, "No SSL certificate check store configured. "
+						"Default store will be used.");
+				break;
+			} else {
+				mylog(LOG_ERROR, "No SSL certificate check store configured "
+						"and cannot use default store!");
+				return conn;
+			}
+		}
 		// Check if check_store is a file or directory
 		if (stat(check_store, &st_buf) == 0) {
 			if (st_buf.st_mode & S_IFDIR) {
@ -1490,10 +1501,12 @@ static connection_t *_connection_new_SSL(char *dsthostname, char *dstport,
 				}
 				break;
 			}
-			mylog(LOG_ERROR, "Check store is neither a file nor a directory.");
+			mylog(LOG_ERROR, "Specified SSL certificate check store is neither "
+					"a file nor a directory.");
 			return conn;
 		}
-		mylog(LOG_ERROR, "Can't open check store! Make sure path is correct.");
+		mylog(LOG_ERROR, "Can't open SSL certificate check store! Check path "
+				"and permissions.");
 		return conn;
 	}