summaryrefslogtreecommitdiff
path: root/cpp/src
diff options
context:
space:
mode:
Diffstat (limited to 'cpp/src')
-rw-r--r--cpp/src/IceSSL/AcceptorI.cpp2
-rw-r--r--cpp/src/IceSSL/ConnectorI.cpp2
-rw-r--r--cpp/src/IceSSL/Context.cpp16
-rw-r--r--cpp/src/IceSSL/Context.h2
4 files changed, 17 insertions, 5 deletions
diff --git a/cpp/src/IceSSL/AcceptorI.cpp b/cpp/src/IceSSL/AcceptorI.cpp
index dc4f0b1f8ad..9c048c9eebd 100644
--- a/cpp/src/IceSSL/AcceptorI.cpp
+++ b/cpp/src/IceSSL/AcceptorI.cpp
@@ -205,7 +205,7 @@ IceSSL::AcceptorI::accept(int timeout)
}
while(!SSL_is_init_finished(ssl));
- _instance->serverContext()->validatePeer(ssl, "", true);
+ _instance->serverContext()->verifyPeer(ssl, "", true);
}
catch(...)
{
diff --git a/cpp/src/IceSSL/ConnectorI.cpp b/cpp/src/IceSSL/ConnectorI.cpp
index 113d5501356..544d9d869e1 100644
--- a/cpp/src/IceSSL/ConnectorI.cpp
+++ b/cpp/src/IceSSL/ConnectorI.cpp
@@ -145,7 +145,7 @@ IceSSL::ConnectorI::connect(int timeout)
}
while(!SSL_is_init_finished(ssl));
- _instance->clientContext()->validatePeer(ssl, _host, false);
+ _instance->clientContext()->verifyPeer(ssl, _host, false);
}
catch(...)
{
diff --git a/cpp/src/IceSSL/Context.cpp b/cpp/src/IceSSL/Context.cpp
index 03668dce76b..2635a51a9ec 100644
--- a/cpp/src/IceSSL/Context.cpp
+++ b/cpp/src/IceSSL/Context.cpp
@@ -484,7 +484,7 @@ IceSSL::Context::ctx() const
}
void
-IceSSL::Context::validatePeer(SSL* ssl, const string& address, bool incoming)
+IceSSL::Context::verifyPeer(SSL* ssl, const string& address, bool incoming)
{
long result = SSL_get_verify_result(ssl);
if(result != X509_V_OK)
@@ -642,7 +642,19 @@ IceSSL::Context::validatePeer(SSL* ssl, const string& address, bool incoming)
const_cast<string&>(info.address) = address;
const_cast<vector<string>&>(info.dnsNames) = dnsNames;
const_cast<vector<string>&>(info.ipAddresses) = ipAddresses;
- verifier->verify(info);
+ if(!verifier->verify(info))
+ {
+ string msg = string(incoming ? "incoming" : "outgoing") +
+ " connection rejected by certificate verifier";
+ if(_instance->securityTraceLevel() >= 1)
+ {
+ _logger->trace(_instance->securityTraceCategory(), msg + "\n" +
+ IceInternal::fdToString(SSL_get_fd(ssl)));
+ }
+ SecurityException ex(__FILE__, __LINE__);
+ ex.reason = msg;
+ throw ex;
+ }
}
}
catch(...)
diff --git a/cpp/src/IceSSL/Context.h b/cpp/src/IceSSL/Context.h
index e002031f5e7..4ab8acd074c 100644
--- a/cpp/src/IceSSL/Context.h
+++ b/cpp/src/IceSSL/Context.h
@@ -26,7 +26,7 @@ public:
SSL_CTX* ctx() const;
- void validatePeer(SSL*, const std::string&, bool);
+ void verifyPeer(SSL*, const std::string&, bool);
std::string password(bool);
generated by cgit v1.2.3 (git 2.46.0) at 2025-08-05 20:18:55 +0000