From 1e449da922a292a098e2ffc3d25703e8e73b8fce Mon Sep 17 00:00:00 2001 From: Arnaud Cornet Date: Mon, 29 Oct 2007 00:38:42 +0100 Subject: [PATCH] Make SSL "basic" certificate check more loose (more SSH-like). In "basic" mode, normally un trusted certificates get to be trusted if they are manually trusted by user. This provides an SSH like private key auth mechanism. Expired certificates were considered invalid in this mode which does not make much sense. --- NEWS | 5 +++++ bip.conf.1 | 7 +++++-- src/connection.c | 12 +++++++++--- 3 files changed, 19 insertions(+), 5 deletions(-) diff --git a/NEWS b/NEWS index 00e3b36..d5a03fb 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,8 @@ +29-10-2007: Certificate validation change. In "basic" mode, expired +certificates are now accepted as long as they are in store (therefore trusted). +This makes the basic mode be more SSH like. Some extreme security zealots might +want to be warned. + 02-09-2007: as of now log parameters go in the user {} statment. This brakes every config and there is no backwrads compatibility as of now. Lots of internal changes, expect crashes. diff --git a/bip.conf.1 b/bip.conf.1 index ba1346b..cdc8850 100644 --- a/bip.conf.1 +++ b/bip.conf.1 @@ -221,8 +221,11 @@ Tells whether BIP should check the server SSL certificate and against what. Can be \fBnone\fP for no check at all, \fBca\fP to check if the cert is signed by a Certificate Authority in repository, or \fBbasic\fP to check if cert exists in repository. The repository is defined by \fBssl_check_store\fP. This -allows a "ssh-like" private key generation scheme. Note that in basic mode, -valid CA-signed certificates are also considered valid. +allows a "ssh-like" private key generation scheme. Note that in basic mode: +.br + - expired certificates that are in the store are considered valid. +.br + - CA-signed certificates are considered valid even if not in store. .TP \fBssl_check_store\fP (default: \fBnot set\fP) diff --git a/src/connection.c b/src/connection.c index 19aab41..120c3a4 100644 --- a/src/connection.c +++ b/src/connection.c @@ -1178,14 +1178,20 @@ static int bip_ssl_verify_callback(int preverify_ok, X509_STORE_CTX *ctx) (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY || err == X509_V_ERR_CERT_UNTRUSTED || err == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE || - err == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)) { + err == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT || + err == X509_V_ERR_CERT_HAS_EXPIRED)) { if (X509_STORE_get_by_subject(ctx, X509_LU_X509, X509_get_subject_name(err_cert), &xobj) > 0 && !X509_cmp(xobj.data.x509, err_cert)) { - mylog(LOG_INFO, "Basic mode; peer certificate found " - "in store, accepting it!"); + if (err == X509_V_ERR_CERT_HAS_EXPIRED) + mylog(LOG_INFO, "Basic mode; Accepting " + "*expired* peer certificate " + "found in store."); + else + mylog(LOG_INFO, "Basic mode; Accepting peer " + "certificate found in store."); result = 1; err = X509_V_OK;