diff options
| author | Benoit Foucher <benoit@zeroc.com> | 2015-04-17 16:56:32 +0200 |
|---|---|---|
| committer | Benoit Foucher <benoit@zeroc.com> | 2015-04-17 16:56:32 +0200 |
| commit | 76c9d40ecc5bd5edcfbfaab9b2902e35cc1ac19a (patch) | |
| tree | 00385dd48603a40e66750557f25a281505625680 /cpp/src/IceSSL/OpenSSLEngine.cpp | |
| parent | Fixed SChannel issue where intermediate certificates were not being sent (diff) | |
| download | ice-76c9d40ecc5bd5edcfbfaab9b2902e35cc1ac19a.tar.bz2 ice-76c9d40ecc5bd5edcfbfaab9b2902e35cc1ac19a.tar.xz ice-76c9d40ecc5bd5edcfbfaab9b2902e35cc1ac19a.zip | |
Fixed IceSSL OpenSSL implementation to provide and use the verified certificate chain
Diffstat (limited to 'cpp/src/IceSSL/OpenSSLEngine.cpp')
| -rw-r--r-- | cpp/src/IceSSL/OpenSSLEngine.cpp | 62 |
1 files changed, 0 insertions, 62 deletions
diff --git a/cpp/src/IceSSL/OpenSSLEngine.cpp b/cpp/src/IceSSL/OpenSSLEngine.cpp index d6caa8f4e53..c47e19eb99f 100644 --- a/cpp/src/IceSSL/OpenSSLEngine.cpp +++ b/cpp/src/IceSSL/OpenSSLEngine.cpp @@ -145,14 +145,6 @@ IceSSL_opensslDHCallback(SSL* ssl, int /*isExport*/, int keyLength) } # endif -int -IceSSL_opensslVerifyCallback(int ok, X509_STORE_CTX* ctx) -{ - SSL* ssl = reinterpret_cast<SSL*>(X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx())); - OpenSSLEngine* p = reinterpret_cast<OpenSSLEngine*>(SSL_CTX_get_ex_data(ssl->ctx, 0)); - return p->verifyCallback(ok, ssl, ctx); -} - } namespace @@ -807,30 +799,6 @@ OpenSSLEngine::initialize() SSL_free(ssl); getLogger()->trace(securityTraceCategory(), os.str()); } - - // - // Determine whether a certificate is required from the peer. - // - { - int sslVerifyMode = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT; - switch(getVerifyPeer()) - { - case 0: - sslVerifyMode = SSL_VERIFY_NONE; - break; - case 1: - sslVerifyMode = SSL_VERIFY_PEER; - break; - case 2: - sslVerifyMode = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT; - break; - default: - { - assert(false); - } - } - SSL_CTX_set_verify(_ctx, sslVerifyMode, IceSSL_opensslVerifyCallback); - } } catch(...) { @@ -879,36 +847,6 @@ OpenSSLEngine::destroy() } } -int -OpenSSLEngine::verifyCallback(int ok, SSL* ssl, X509_STORE_CTX* c) -{ - if(!ok && securityTraceLevel() >= 1) - { - X509* cert = X509_STORE_CTX_get_current_cert(c); - int err = X509_STORE_CTX_get_error(c); - char buf[256]; - - Trace out(getLogger(), securityTraceCategory()); - out << "certificate verification failure\n"; - - X509_NAME_oneline(X509_get_issuer_name(cert), buf, static_cast<int>(sizeof(buf))); - out << "issuer = " << buf << '\n'; - X509_NAME_oneline(X509_get_subject_name(cert), buf, static_cast<int>(sizeof(buf))); - out << "subject = " << buf << '\n'; - out << "depth = " << X509_STORE_CTX_get_error_depth(c) << '\n'; - out << "error = " << X509_verify_cert_error_string(err) << '\n'; - out << IceInternal::fdToString(SSL_get_fd(ssl)); - } - - // - // Always return 1 to prevent SSL_connect/SSL_accept from - // returning SSL_ERROR_SSL for verification failures. This ensure - // that we can raise SecurityException for verification failures - // rather than a ProtocolException. - // - return 1; -} - # ifndef OPENSSL_NO_DH DH* OpenSSLEngine::dhParams(int keyLength) |