Various SSL fixes, tests for intermedate CAs

author: Benoit Foucher <benoit@zeroc.com> 2015-04-16 19:06:07 +0200
committer: Benoit Foucher <benoit@zeroc.com> 2015-04-16 19:06:07 +0200
commit: 92d89cd2713faffed0ba8ba69a65e392400b64fc (patch)
tree: 6e12c321b5c9debc2ad137f78813f890ab3723fc /cpp/src/IceSSL/SecureTransportTransceiverI.cpp
parent: Remove MD5 support from icehashpassword.py (diff)
download: ice-92d89cd2713faffed0ba8ba69a65e392400b64fc.tar.bz2
ice-92d89cd2713faffed0ba8ba69a65e392400b64fc.tar.xz
ice-92d89cd2713faffed0ba8ba69a65e392400b64fc.zip
1 files changed, 9 insertions, 6 deletions
diff --git a/cpp/src/IceSSL/SecureTransportTransceiverI.cpp b/cpp/src/IceSSL/SecureTransportTransceiverI.cpp
index c384def1f59..3feb7774e86 100644
--- a/cpp/src/IceSSL/SecureTransportTransceiverI.cpp
+++ b/cpp/src/IceSSL/SecureTransportTransceiverI.cpp
@@ -112,7 +112,7 @@ checkTrustResult(SecTrustRef trust, const SecureTransportEnginePtr& engine, cons
         //
         if((err = SecTrustSetNetworkFetchAllowed(trust, false)))
         {
-            throw ProtocolException(__FILE__, __LINE__, "IceSSL: handshake failure:\n" + errorToString(err));
+            throw SecurityException(__FILE__, __LINE__, "IceSSL: handshake failure:\n" + errorToString(err));
         }
 
         //
@@ -120,7 +120,7 @@ checkTrustResult(SecTrustRef trust, const SecureTransportEnginePtr& engine, cons
         //
         if((err = SecTrustEvaluate(trust, &trustResult)))
         {
-            throw ProtocolException(__FILE__, __LINE__, "IceSSL: handshake failure:\n" + errorToString(err));
+            throw SecurityException(__FILE__, __LINE__, "IceSSL: handshake failure:\n" + errorToString(err));
         }
     }
 
@@ -160,7 +160,7 @@ checkTrustResult(SecTrustRef trust, const SecureTransportEnginePtr& engine, cons
             {
                 instance->logger()->trace(instance->traceCategory(), msg);
             }
-            throw ProtocolException(__FILE__, __LINE__, msg);
+            throw SecurityException(__FILE__, __LINE__, msg);
         }
     }
     }
@@ -226,9 +226,12 @@ IceSSL::TransceiverI::initialize(IceInternal::Buffer& readBuffer, IceInternal::B
             err = SSLCopyPeerTrust(_ssl, &_trust);
             if(_incoming && err == errSSLBadCert && _engine->getVerifyPeer() == 1)
             {
-                // This happens in 10.10 when the client doesn't provide
-                // a certificate and the server is configured to try
-                // authenticate
+                //
+                // This is expected if the client doesn't provide a
+                // certificate (occurs since 10.10). The server is
+                // configured to verify to not require the client
+                // certificate so we ignore the failure.
+                //
                 continue;
             }
             if(err == noErr)
author	Benoit Foucher <benoit@zeroc.com>	2015-04-16 19:06:07 +0200
committer	Benoit Foucher <benoit@zeroc.com>	2015-04-16 19:06:07 +0200
commit	92d89cd2713faffed0ba8ba69a65e392400b64fc (patch)
tree	6e12c321b5c9debc2ad137f78813f890ab3723fc /cpp/src/IceSSL/SecureTransportTransceiverI.cpp
parent	Remove MD5 support from icehashpassword.py (diff)
download	ice-92d89cd2713faffed0ba8ba69a65e392400b64fc.tar.bz2 ice-92d89cd2713faffed0ba8ba69a65e392400b64fc.tar.xz ice-92d89cd2713faffed0ba8ba69a65e392400b64fc.zip