Enhancement #350 » 0001-check-whether-trust-store-is-a-file-or-directory-in-.patch
| bip.conf.5 | ||
|---|---|---|
|
.TP
|
||
|
\fBssl_check_store\fP (default: \fBnot set\fP)
|
||
|
This repository is browsed by BIP when a SSL certificate or CA check is needed.
|
||
|
In ssl_check_mode \fBbasic\fP it must be a file, to which certificates you
|
||
|
choose to trust will be appended. In ssl_check_mode \fBca\fP it may be a
|
||
|
single file containing one or more trusted certificates concatenated together
|
||
|
between BEGIN CERTIFICATE and END CERTIFICATE lines, or a directory containing
|
||
|
individual certificates in PEM format which has been processed by \fBc_rehash\fP.
|
||
|
.TP
|
||
|
\fBssl_client_certfile\fP (default: \fBnot set\fP)
|
||
| samples/bip.conf | ||
|---|---|---|
|
# using "basic" unless you're a crypto zealot...
|
||
|
ssl_check_mode = "none";
|
||
|
# Location of the user's store for SSL certificate check
|
||
|
# Location of the user's store for server SSL certificate check
|
||
|
# In "basic" mode, that must point to a single file with all trusted
|
||
|
# certs concatenated together (the interactive "trust" appends to this
|
||
|
# file).
|
||
|
# In "ca" mode, it's a directory of a standard openssl store; you must
|
||
|
# put PEM objects (certificates, CRLs...) with .pem extension and run
|
||
|
# `c_rehash .' in it
|
||
|
# In "ca" mode, it can be either:
|
||
|
# - a directory of a standard openssl store; you must put PEM objects
|
||
|
# (certificates, CRLs...) with .pem extension and run `c_rehash .' in it
|
||
|
# - a certificate bundle file containing one or more certificates in PEM
|
||
|
# format, enclosed in BEGIN CERTIFICATE / END CERTIFICATE lines
|
||
|
ssl_check_store = "/home/bip4ever/.bip/trustedcerts.txt";
|
||
|
# Some networks (OFTC at least) allow you to authenticate to nickserv
|
||
| src/connection.c | ||
|---|---|---|
|
conn->ssl_check_mode = check_mode;
|
||
|
switch (conn->ssl_check_mode) {
|
||
|
struct stat st_buf;
|
||
|
case SSL_CHECK_BASIC:
|
||
|
if (!SSL_CTX_load_verify_locations(conn->ssl_ctx_h, check_store,
|
||
|
NULL)) {
|
||
| ... | ... | |
|
}
|
||
|
break;
|
||
|
case SSL_CHECK_CA:
|
||
|
if (!SSL_CTX_load_verify_locations(conn->ssl_ctx_h, NULL,
|
||
|
check_store)) {
|
||
|
mylog(LOG_ERROR, "Can't assign check store to "
|
||
|
"SSL connection!");
|
||
|
// Check if check_store is a file or directory
|
||
|
if (stat(check_store, &st_buf) == 0) {
|
||
|
if (st_buf.st_mode & S_IFDIR) {
|
||
|
if (!SSL_CTX_load_verify_locations(conn->ssl_ctx_h, NULL,
|
||
|
check_store)) {
|
||
|
mylog(LOG_ERROR, "Can't assign check store to "
|
||
|
"SSL connection!");
|
||
|
return conn;
|
||
|
}
|
||
|
break;
|
||
|
}
|
||
|
if (st_buf.st_mode & S_IFREG) {
|
||
|
if (!SSL_CTX_load_verify_locations(conn->ssl_ctx_h, check_store,
|
||
|
NULL)) {
|
||
|
mylog(LOG_ERROR, "Can't assign check store to "
|
||
|
"SSL connection!");
|
||
|
return conn;
|
||
|
}
|
||
|
break;
|
||
|
}
|
||
|
mylog(LOG_ERROR, "Check store is neither a file nor a directory.");
|
||
|
return conn;
|
||
|
}
|
||
|
break;
|
||
|
mylog(LOG_ERROR, "Can't open check store! Make sure path is correct.");
|
||
|
return conn;
|
||
|
}
|
||
|
switch (conn->ssl_check_mode) {
|
||