From 21d3109e17fee82910c8834abd70dec8e15e0b97 Mon Sep 17 00:00:00 2001 From: Adam Williamson Date: Fri, 19 Sep 2014 18:04:53 -0700 Subject: [PATCH 2/2] allow for certificate store to be unspecified in CA mode In many cases, using OpenSSL's default certificate store is fine and even preferred. If your OpenSSL provider (e.g. your distribution) is competent, they will manage this database better than you likely will. With this change, bip will attempt to use the default certificate store if you set CA mode but do not specify a certificate store location. This could be refined to test after enabling the default paths whether the certificate store is empty, and error/warn if so. --- bip.conf.5 | 6 ++++-- samples/bip.conf | 2 ++ src/bip.c | 12 +++++++++--- src/connection.c | 17 +++++++++++++++-- 4 files changed, 30 insertions(+), 7 deletions(-) diff --git a/bip.conf.5 b/bip.conf.5 index e8030c2..3b1ccf6 100644 --- a/bip.conf.5 +++ b/bip.conf.5 @@ -254,8 +254,10 @@ This repository is browsed by BIP when a SSL certificate or CA check is needed. In ssl_check_mode \fBbasic\fP it must be a file, to which certificates you choose to trust will be appended. In ssl_check_mode \fBca\fP it may be a single file containing one or more trusted certificates concatenated together -between BEGIN CERTIFICATE and END CERTIFICATE lines, or a directory containing -individual certificates in PEM format which has been processed by \fBc_rehash\fP. +between BEGIN CERTIFICATE and END CERTIFICATE lines, a directory containing +individual certificates in PEM format which has been processed by \fBc_rehash\fP, +or unset, in which case bip will attempt to use the default certificate store of +the OpenSSL it is built against. .TP \fBssl_client_certfile\fP (default: \fBnot set\fP) diff --git a/samples/bip.conf b/samples/bip.conf index 59a0339..7be129d 100644 --- a/samples/bip.conf +++ b/samples/bip.conf @@ -126,6 +126,8 @@ user { # (certificates, CRLs...) with .pem extension and run `c_rehash .' in it # - a certificate bundle file containing one or more certificates in PEM # format, enclosed in BEGIN CERTIFICATE / END CERTIFICATE lines + # - unspecified: in this case, bip will attempt to use the default + # certificate store of the OpenSSL it is built against ssl_check_store = "/home/bip4ever/.bip/trustedcerts.txt"; # Some networks (OFTC at least) allow you to authenticate to nickserv diff --git a/src/bip.c b/src/bip.c index 37e72d9..f025c21 100644 --- a/src/bip.c +++ b/src/bip.c @@ -1540,9 +1540,15 @@ noroom: bip_notify(ic, "%s", buf); #ifdef HAVE_LIBSSL - bip_notify(ic, "SSL check mode '%s', stored into '%s'", - checkmode2text(u->ssl_check_mode), - STRORNULL(u->ssl_check_store)); + if (u->ssl_check_store) { + bip_notify(ic, "SSL check mode '%s', stored into '%s'", + checkmode2text(u->ssl_check_mode), + u->ssl_check_store); + } + else { + bip_notify(ic, "SSL check mode '%s', default or no certificate store", + checkmode2text(u->ssl_check_mode)); + } if (u->ssl_client_certfile) bip_notify(ic, "SSL client certificate stored into '%s'", u->ssl_client_certfile); diff --git a/src/connection.c b/src/connection.c index b534cd0..ab1516e 100644 --- a/src/connection.c +++ b/src/connection.c @@ -1470,6 +1470,17 @@ static connection_t *_connection_new_SSL(char *dsthostname, char *dstport, } break; case SSL_CHECK_CA: + if (!check_store) { + if (SSL_CTX_set_default_verify_paths(conn->ssl_ctx_h)) { + mylog(LOG_INFO, "No SSL certificate check store configured. " + "Default store will be used."); + break; + } else { + mylog(LOG_ERROR, "No SSL certificate check store configured " + "and cannot use default store!"); + return conn; + } + } // Check if check_store is a file or directory if (stat(check_store, &st_buf) == 0) { if (st_buf.st_mode & S_IFDIR) { @@ -1490,10 +1501,12 @@ static connection_t *_connection_new_SSL(char *dsthostname, char *dstport, } break; } - mylog(LOG_ERROR, "Check store is neither a file nor a directory."); + mylog(LOG_ERROR, "Specified SSL certificate check store is neither " + "a file nor a directory."); return conn; } - mylog(LOG_ERROR, "Can't open check store! Make sure path is correct."); + mylog(LOG_ERROR, "Can't open SSL certificate check store! Check path " + "and permissions."); return conn; } -- 2.1.0