Enhancement #350 » 0001-check-whether-trust-store-is-a-file-or-directory-in-.patch
| bip.conf.5 | ||
|---|---|---|
| 251 | 251 |
.TP |
| 252 | 252 |
\fBssl_check_store\fP (default: \fBnot set\fP) |
| 253 | 253 |
This repository is browsed by BIP when a SSL certificate or CA check is needed. |
| 254 |
In ssl_check_mode \fBbasic\fP it must be a file, to which certificates you |
|
| 255 |
choose to trust will be appended. In ssl_check_mode \fBca\fP it may be a |
|
| 256 |
single file containing one or more trusted certificates concatenated together |
|
| 257 |
between BEGIN CERTIFICATE and END CERTIFICATE lines, or a directory containing |
|
| 258 |
individual certificates in PEM format which has been processed by \fBc_rehash\fP. |
|
| 254 | 259 | |
| 255 | 260 |
.TP |
| 256 | 261 |
\fBssl_client_certfile\fP (default: \fBnot set\fP) |
| samples/bip.conf | ||
|---|---|---|
| 117 | 117 |
# using "basic" unless you're a crypto zealot... |
| 118 | 118 |
ssl_check_mode = "none"; |
| 119 | 119 | |
| 120 |
# Location of the user's store for SSL certificate check |
|
| 120 |
# Location of the user's store for server SSL certificate check
|
|
| 121 | 121 |
# In "basic" mode, that must point to a single file with all trusted |
| 122 | 122 |
# certs concatenated together (the interactive "trust" appends to this |
| 123 | 123 |
# file). |
| 124 |
# In "ca" mode, it's a directory of a standard openssl store; you must |
|
| 125 |
# put PEM objects (certificates, CRLs...) with .pem extension and run |
|
| 126 |
# `c_rehash .' in it |
|
| 124 |
# In "ca" mode, it can be either: |
|
| 125 |
# - a directory of a standard openssl store; you must put PEM objects |
|
| 126 |
# (certificates, CRLs...) with .pem extension and run `c_rehash .' in it |
|
| 127 |
# - a certificate bundle file containing one or more certificates in PEM |
|
| 128 |
# format, enclosed in BEGIN CERTIFICATE / END CERTIFICATE lines |
|
| 127 | 129 |
ssl_check_store = "/home/bip4ever/.bip/trustedcerts.txt"; |
| 128 | 130 | |
| 129 | 131 |
# Some networks (OFTC at least) allow you to authenticate to nickserv |
| src/connection.c | ||
|---|---|---|
| 1461 | 1461 |
conn->ssl_check_mode = check_mode; |
| 1462 | 1462 | |
| 1463 | 1463 |
switch (conn->ssl_check_mode) {
|
| 1464 |
struct stat st_buf; |
|
| 1464 | 1465 |
case SSL_CHECK_BASIC: |
| 1465 | 1466 |
if (!SSL_CTX_load_verify_locations(conn->ssl_ctx_h, check_store, |
| 1466 | 1467 |
NULL)) {
|
| ... | ... | |
| 1469 | 1470 |
} |
| 1470 | 1471 |
break; |
| 1471 | 1472 |
case SSL_CHECK_CA: |
| 1472 |
if (!SSL_CTX_load_verify_locations(conn->ssl_ctx_h, NULL, |
|
| 1473 |
check_store)) {
|
|
| 1474 |
mylog(LOG_ERROR, "Can't assign check store to " |
|
| 1475 |
"SSL connection!"); |
|
| 1473 |
// Check if check_store is a file or directory |
|
| 1474 |
if (stat(check_store, &st_buf) == 0) {
|
|
| 1475 |
if (st_buf.st_mode & S_IFDIR) {
|
|
| 1476 |
if (!SSL_CTX_load_verify_locations(conn->ssl_ctx_h, NULL, |
|
| 1477 |
check_store)) {
|
|
| 1478 |
mylog(LOG_ERROR, "Can't assign check store to " |
|
| 1479 |
"SSL connection!"); |
|
| 1480 |
return conn; |
|
| 1481 |
} |
|
| 1482 |
break; |
|
| 1483 |
} |
|
| 1484 |
if (st_buf.st_mode & S_IFREG) {
|
|
| 1485 |
if (!SSL_CTX_load_verify_locations(conn->ssl_ctx_h, check_store, |
|
| 1486 |
NULL)) {
|
|
| 1487 |
mylog(LOG_ERROR, "Can't assign check store to " |
|
| 1488 |
"SSL connection!"); |
|
| 1489 |
return conn; |
|
| 1490 |
} |
|
| 1491 |
break; |
|
| 1492 |
} |
|
| 1493 |
mylog(LOG_ERROR, "Check store is neither a file nor a directory."); |
|
| 1476 | 1494 |
return conn; |
| 1477 | 1495 |
} |
| 1478 |
break; |
|
| 1496 |
mylog(LOG_ERROR, "Can't open check store! Make sure path is correct."); |
|
| 1497 |
return conn; |
|
| 1479 | 1498 |
} |
| 1480 | 1499 | |
| 1481 | 1500 |
switch (conn->ssl_check_mode) {
|
| 1482 |
- |
|