allow for certificate store to be unspecified in CA mode
In many cases, using OpenSSL's default certificate store is fine and even preferred. If your OpenSSL provider (e.g. your distribution) is competent, they will manage this database better than you likely will. With this change, bip will attempt to use the default certificate store if you set CA mode but do not specify a certificate store location. This could be refined to test after enabling the default paths whether the certificate store is empty, and error/warn if so.
This commit is contained in:
parent
89295ca4b2
commit
88242715f4
@ -254,8 +254,10 @@ This repository is browsed by BIP when a SSL certificate or CA check is needed.
|
|||||||
In ssl_check_mode \fBbasic\fP it must be a file, to which certificates you
|
In ssl_check_mode \fBbasic\fP it must be a file, to which certificates you
|
||||||
choose to trust will be appended. In ssl_check_mode \fBca\fP it may be a
|
choose to trust will be appended. In ssl_check_mode \fBca\fP it may be a
|
||||||
single file containing one or more trusted certificates concatenated together
|
single file containing one or more trusted certificates concatenated together
|
||||||
between BEGIN CERTIFICATE and END CERTIFICATE lines, or a directory containing
|
between BEGIN CERTIFICATE and END CERTIFICATE lines, a directory containing
|
||||||
individual certificates in PEM format which has been processed by \fBc_rehash\fP.
|
individual certificates in PEM format which has been processed by \fBc_rehash\fP,
|
||||||
|
or unset, in which case bip will attempt to use the default certificate store of
|
||||||
|
the OpenSSL it is built against.
|
||||||
|
|
||||||
.TP
|
.TP
|
||||||
\fBssl_client_certfile\fP (default: \fBnot set\fP)
|
\fBssl_client_certfile\fP (default: \fBnot set\fP)
|
||||||
|
@ -126,6 +126,8 @@ user {
|
|||||||
# (certificates, CRLs...) with .pem extension and run `c_rehash .' in it
|
# (certificates, CRLs...) with .pem extension and run `c_rehash .' in it
|
||||||
# - a certificate bundle file containing one or more certificates in PEM
|
# - a certificate bundle file containing one or more certificates in PEM
|
||||||
# format, enclosed in BEGIN CERTIFICATE / END CERTIFICATE lines
|
# format, enclosed in BEGIN CERTIFICATE / END CERTIFICATE lines
|
||||||
|
# - unspecified: in this case, bip will attempt to use the default
|
||||||
|
# certificate store of the OpenSSL it is built against
|
||||||
ssl_check_store = "/home/bip4ever/.bip/trustedcerts.txt";
|
ssl_check_store = "/home/bip4ever/.bip/trustedcerts.txt";
|
||||||
|
|
||||||
# Some networks (OFTC at least) allow you to authenticate to nickserv
|
# Some networks (OFTC at least) allow you to authenticate to nickserv
|
||||||
|
12
src/bip.c
12
src/bip.c
@ -1540,9 +1540,15 @@ noroom:
|
|||||||
bip_notify(ic, "%s", buf);
|
bip_notify(ic, "%s", buf);
|
||||||
|
|
||||||
#ifdef HAVE_LIBSSL
|
#ifdef HAVE_LIBSSL
|
||||||
bip_notify(ic, "SSL check mode '%s', stored into '%s'",
|
if (u->ssl_check_store) {
|
||||||
checkmode2text(u->ssl_check_mode),
|
bip_notify(ic, "SSL check mode '%s', stored into '%s'",
|
||||||
STRORNULL(u->ssl_check_store));
|
checkmode2text(u->ssl_check_mode),
|
||||||
|
u->ssl_check_store);
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
bip_notify(ic, "SSL check mode '%s', default or no certificate store",
|
||||||
|
checkmode2text(u->ssl_check_mode));
|
||||||
|
}
|
||||||
if (u->ssl_client_certfile)
|
if (u->ssl_client_certfile)
|
||||||
bip_notify(ic, "SSL client certificate stored into '%s'",
|
bip_notify(ic, "SSL client certificate stored into '%s'",
|
||||||
u->ssl_client_certfile);
|
u->ssl_client_certfile);
|
||||||
|
@ -1470,6 +1470,17 @@ static connection_t *_connection_new_SSL(char *dsthostname, char *dstport,
|
|||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
case SSL_CHECK_CA:
|
case SSL_CHECK_CA:
|
||||||
|
if (!check_store) {
|
||||||
|
if (SSL_CTX_set_default_verify_paths(conn->ssl_ctx_h)) {
|
||||||
|
mylog(LOG_INFO, "No SSL certificate check store configured. "
|
||||||
|
"Default store will be used.");
|
||||||
|
break;
|
||||||
|
} else {
|
||||||
|
mylog(LOG_ERROR, "No SSL certificate check store configured "
|
||||||
|
"and cannot use default store!");
|
||||||
|
return conn;
|
||||||
|
}
|
||||||
|
}
|
||||||
// Check if check_store is a file or directory
|
// Check if check_store is a file or directory
|
||||||
if (stat(check_store, &st_buf) == 0) {
|
if (stat(check_store, &st_buf) == 0) {
|
||||||
if (st_buf.st_mode & S_IFDIR) {
|
if (st_buf.st_mode & S_IFDIR) {
|
||||||
@ -1490,10 +1501,12 @@ static connection_t *_connection_new_SSL(char *dsthostname, char *dstport,
|
|||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
mylog(LOG_ERROR, "Check store is neither a file nor a directory.");
|
mylog(LOG_ERROR, "Specified SSL certificate check store is neither "
|
||||||
|
"a file nor a directory.");
|
||||||
return conn;
|
return conn;
|
||||||
}
|
}
|
||||||
mylog(LOG_ERROR, "Can't open check store! Make sure path is correct.");
|
mylog(LOG_ERROR, "Can't open SSL certificate check store! Check path "
|
||||||
|
"and permissions.");
|
||||||
return conn;
|
return conn;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user