diff options
Diffstat (limited to 'cpp/src/IceSSL/OpenSSLEngine.cpp')
| -rw-r--r-- | cpp/src/IceSSL/OpenSSLEngine.cpp | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/cpp/src/IceSSL/OpenSSLEngine.cpp b/cpp/src/IceSSL/OpenSSLEngine.cpp index 8dfde2f45fd..d6caa8f4e53 100644 --- a/cpp/src/IceSSL/OpenSSLEngine.cpp +++ b/cpp/src/IceSSL/OpenSSLEngine.cpp @@ -812,7 +812,7 @@ OpenSSLEngine::initialize() // Determine whether a certificate is required from the peer. // { - int sslVerifyMode = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT;; + int sslVerifyMode = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT; switch(getVerifyPeer()) { case 0: @@ -899,7 +899,14 @@ OpenSSLEngine::verifyCallback(int ok, SSL* ssl, X509_STORE_CTX* c) out << "error = " << X509_verify_cert_error_string(err) << '\n'; out << IceInternal::fdToString(SSL_get_fd(ssl)); } - return ok; + + // + // Always return 1 to prevent SSL_connect/SSL_accept from + // returning SSL_ERROR_SSL for verification failures. This ensure + // that we can raise SecurityException for verification failures + // rather than a ProtocolException. + // + return 1; } # ifndef OPENSSL_NO_DH |