Enhancement #350 » 0002-allow-for-certificate-store-to-be-unspecified-in-CA-.patch
| bip.conf.5 | ||
|---|---|---|
|
In ssl_check_mode \fBbasic\fP it must be a file, to which certificates you
|
||
|
choose to trust will be appended. In ssl_check_mode \fBca\fP it may be a
|
||
|
single file containing one or more trusted certificates concatenated together
|
||
|
between BEGIN CERTIFICATE and END CERTIFICATE lines, or a directory containing
|
||
|
individual certificates in PEM format which has been processed by \fBc_rehash\fP.
|
||
|
between BEGIN CERTIFICATE and END CERTIFICATE lines, a directory containing
|
||
|
individual certificates in PEM format which has been processed by \fBc_rehash\fP,
|
||
|
or unset, in which case bip will attempt to use the default certificate store of
|
||
|
the OpenSSL it is built against.
|
||
|
.TP
|
||
|
\fBssl_client_certfile\fP (default: \fBnot set\fP)
|
||
| samples/bip.conf | ||
|---|---|---|
|
# (certificates, CRLs...) with .pem extension and run `c_rehash .' in it
|
||
|
# - a certificate bundle file containing one or more certificates in PEM
|
||
|
# format, enclosed in BEGIN CERTIFICATE / END CERTIFICATE lines
|
||
|
# - unspecified: in this case, bip will attempt to use the default
|
||
|
# certificate store of the OpenSSL it is built against
|
||
|
ssl_check_store = "/home/bip4ever/.bip/trustedcerts.txt";
|
||
|
# Some networks (OFTC at least) allow you to authenticate to nickserv
|
||
| src/bip.c | ||
|---|---|---|
|
bip_notify(ic, "%s", buf);
|
||
|
#ifdef HAVE_LIBSSL
|
||
|
bip_notify(ic, "SSL check mode '%s', stored into '%s'",
|
||
|
checkmode2text(u->ssl_check_mode),
|
||
|
STRORNULL(u->ssl_check_store));
|
||
|
if (u->ssl_check_store) {
|
||
|
bip_notify(ic, "SSL check mode '%s', stored into '%s'",
|
||
|
checkmode2text(u->ssl_check_mode),
|
||
|
u->ssl_check_store);
|
||
|
}
|
||
|
else {
|
||
|
bip_notify(ic, "SSL check mode '%s', default or no certificate store",
|
||
|
checkmode2text(u->ssl_check_mode));
|
||
|
}
|
||
|
if (u->ssl_client_certfile)
|
||
|
bip_notify(ic, "SSL client certificate stored into '%s'",
|
||
|
u->ssl_client_certfile);
|
||
| src/connection.c | ||
|---|---|---|
|
}
|
||
|
break;
|
||
|
case SSL_CHECK_CA:
|
||
|
if (!check_store) {
|
||
|
if (SSL_CTX_set_default_verify_paths(conn->ssl_ctx_h)) {
|
||
|
mylog(LOG_INFO, "No SSL certificate check store configured. "
|
||
|
"Default store will be used.");
|
||
|
break;
|
||
|
} else {
|
||
|
mylog(LOG_ERROR, "No SSL certificate check store configured "
|
||
|
"and cannot use default store!");
|
||
|
return conn;
|
||
|
}
|
||
|
}
|
||
|
// Check if check_store is a file or directory
|
||
|
if (stat(check_store, &st_buf) == 0) {
|
||
|
if (st_buf.st_mode & S_IFDIR) {
|
||
| ... | ... | |
|
}
|
||
|
break;
|
||
|
}
|
||
|
mylog(LOG_ERROR, "Check store is neither a file nor a directory.");
|
||
|
mylog(LOG_ERROR, "Specified SSL certificate check store is neither "
|
||
|
"a file nor a directory.");
|
||
|
return conn;
|
||
|
}
|
||
|
mylog(LOG_ERROR, "Can't open check store! Make sure path is correct.");
|
||
|
mylog(LOG_ERROR, "Can't open SSL certificate check store! Check path "
|
||
|
"and permissions.");
|
||
|
return conn;
|
||
|
}
|
||
- « Previous
- 1
- 2
- Next »