Make SSL "basic" certificate check more loose (more SSH-like).

In "basic" mode, normally un trusted certificates get to be trusted if they are manually trusted by user. This provides an SSH like private key auth mechanism. Expired certificates were considered invalid in this mode which does not make much sense.
2007-10-29 00:38:42 +01:00 · 2007-10-29 00:38:42 +01:00 · 1e449da922
parent 6a0ced8929
commit 1e449da922
3 changed files with 19 additions and 5 deletions
--- a/5
+++ b/5
@ -1,3 +1,8 @@
+29-10-2007: Certificate validation change. In "basic" mode, expired
+certificates are now accepted as long as they are in store (therefore trusted).
+This makes the basic mode be more SSH like. Some extreme security zealots might
+want to be warned.
+
 02-09-2007: as of now log parameters go in the user {} statment. This brakes
 every config and there is no backwrads compatibility as of now.
 Lots of internal changes, expect crashes.
--- a/bip.conf.1
+++ b/bip.conf.1
@ -221,8 +221,11 @@ Tells whether BIP should check the server SSL certificate and against what.
 Can be \fBnone\fP for no check at all, \fBca\fP to check if the cert is signed
 by a Certificate Authority in repository, or \fBbasic\fP to check if cert
 exists in repository. The repository is defined by \fBssl_check_store\fP.  This
-allows a "ssh-like" private key generation scheme. Note that in basic mode,
-valid CA-signed certificates are also considered valid.
+allows a "ssh-like" private key generation scheme. Note that in basic mode:
+.br
+ - expired certificates that are in the store are considered valid.
+.br
+ - CA-signed certificates are considered valid even if not in store.

 .TP
 \fBssl_check_store\fP (default: \fBnot set\fP)
--- a/src/connection.c
+++ b/src/connection.c
@ -1178,14 +1178,20 @@ static int bip_ssl_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
 			(err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY ||
 			 err == X509_V_ERR_CERT_UNTRUSTED ||
 			 err == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE ||
-			 err == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)) {
+			 err == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT ||
+			 err == X509_V_ERR_CERT_HAS_EXPIRED)) {

 		if (X509_STORE_get_by_subject(ctx, X509_LU_X509,
 				X509_get_subject_name(err_cert), &xobj) > 0 &&
 				!X509_cmp(xobj.data.x509, err_cert)) {

-			mylog(LOG_INFO, "Basic mode; peer certificate found "
-					"in store, accepting it!");
+			if (err == X509_V_ERR_CERT_HAS_EXPIRED)
+				mylog(LOG_INFO, "Basic mode; Accepting "
+						"*expired* peer certificate "
+						"found in store.");
+			else
+				mylog(LOG_INFO, "Basic mode; Accepting peer "
+					"certificate found in store.");

 			result = 1;
 			err = X509_V_OK;