diff options
| author | Anthony Neal <aneal@zeroc.com> | 2004-02-12 21:59:52 +0000 |
|---|---|---|
| committer | Anthony Neal <aneal@zeroc.com> | 2004-02-12 21:59:52 +0000 |
| commit | af18d6bf6d51018be5418b061dce4c6e3e056ed2 (patch) | |
| tree | 7eee5d58f59f69b66eee44a25b7058ea866cdc00 /cpp/src/IceSSL/DefaultCertificateVerifier.cpp | |
| parent | Fix (diff) | |
| download | ice-af18d6bf6d51018be5418b061dce4c6e3e056ed2.tar.bz2 ice-af18d6bf6d51018be5418b061dce4c6e3e056ed2.tar.xz ice-af18d6bf6d51018be5418b061dce4c6e3e056ed2.zip | |
Fix for bug 4194, you can now turn off certificate validity period checking
of peer certificates. See the IceSSL.Client.IgnoreValidPeriod and
IceSSL.Server.IgnoreValidPeriod properties.
Diffstat (limited to 'cpp/src/IceSSL/DefaultCertificateVerifier.cpp')
| -rw-r--r-- | cpp/src/IceSSL/DefaultCertificateVerifier.cpp | 79 |
1 files changed, 77 insertions, 2 deletions
diff --git a/cpp/src/IceSSL/DefaultCertificateVerifier.cpp b/cpp/src/IceSSL/DefaultCertificateVerifier.cpp index d0f46e8c224..633a16b50cf 100644 --- a/cpp/src/IceSSL/DefaultCertificateVerifier.cpp +++ b/cpp/src/IceSSL/DefaultCertificateVerifier.cpp @@ -13,6 +13,7 @@ // ********************************************************************** #include <Ice/Communicator.h> +#include <Ice/Properties.h> #include <Ice/LoggerUtil.h> #include <IceSSL/OpenSSL.h> #include <IceSSL/DefaultCertificateVerifier.h> @@ -52,8 +53,82 @@ IceSSL::DefaultCertificateVerifier::verify(int preVerifyOkay, X509_STORE_CTX* x5 X509_STORE_CTX_set_error(x509StoreContext, verifyError); } - // If we have ANY errors, we bail out. - preVerifyOkay = 0; + bool checkIgnoreValid = false; + + switch(verifyError) + { + case X509_V_ERR_CERT_NOT_YET_VALID: + case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: + { + checkIgnoreValid = true; + break; + } + + case X509_V_ERR_CERT_HAS_EXPIRED: + case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: + { + checkIgnoreValid = true; + break; + } + + default : + { + // If we have any other errors, we bail out. + preVerifyOkay = 0; + break; + } + } + + if(checkIgnoreValid) + { + ::Ice::PropertiesPtr properties = _communicator->getProperties(); + + switch(_contextType) + { + case Client : + { + if(properties->getPropertyAsIntWithDefault("IceSSL.Client.IgnoreValidPeriod", 0) == 0) + { + // Unless we're told to ignore this result, we bail out. + preVerifyOkay = 0; + } + else + { + preVerifyOkay = 1; + } + break; + } + + case Server : + { + if(properties->getPropertyAsIntWithDefault("IceSSL.Server.IgnoreValidPeriod", 0) == 0) + { + // Unless we're told to ignore this result, we bail out. + preVerifyOkay = 0; + } + else + { + preVerifyOkay = 1; + } + break; + } + + case ClientServer: + { + if(properties->getPropertyAsIntWithDefault("IceSSL.Client.IgnoreValidPeriod", 0) == 0 && + properties->getPropertyAsIntWithDefault("IceSSL.Server.IgnoreValidPeriod", 0) == 0) + { + // Unless we're told to ignore this result, we bail out. + preVerifyOkay = 0; + } + else + { + preVerifyOkay = 1; + } + break; + } + } + } } // Only if ICE_PROTOCOL level logging is on do we worry about this. |