github-repos/wget
1
0
Fork 0
mirror of https://github.com/mirror/wget.git synced 2025-01-22 18:21:03 +08:00
Code Issues Packages Projects Releases Wiki Activity

[svn] Always use SSL_VERIFY_NONE, so that the handshake finishes even if the

Browse Source 
certificate is invalid.  That way ssl_check_server_identity can provide
better diagnostics on why the verification failed.
This commit is contained in:
hniksic 2005-05-11 04:14:42 -07:00
parent 918569ff54
commit b4c06e1dd8
2 changed files with 20 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/ChangeLog
View File

@ -1,3 +1,10 @@
2005-05-11 Hrvoje Niksic <hniksic@xemacs.org>
* openssl.c (ssl_init): Always use SSL_VERIFY_NONE, so that the
handshake finishes even if the certificate is invalid. That way
ssl_check_server_identity can provide better diagnostics on why
the verification failed.
2005-05-11 Hrvoje Niksic <hniksic@xemacs.org> 2005-05-11 Hrvoje Niksic <hniksic@xemacs.org>
* openssl.c (pattern_match): New function. * openssl.c (pattern_match): New function.

26
src/openssl.c
View File

@ -212,10 +212,11 @@ ssl_init ()
SSL_CTX_set_default_verify_paths (ssl_ctx); SSL_CTX_set_default_verify_paths (ssl_ctx);
SSL_CTX_load_verify_locations (ssl_ctx, opt.ca_cert, opt.ca_directory); SSL_CTX_load_verify_locations (ssl_ctx, opt.ca_cert, opt.ca_directory);
/* Specify whether the connect should fail if the verification of /* SSL_VERIFY_NONE instructs OpenSSL not to abort SSL_connect if the
the peer fails or if it should go ahead. */ certificate is invalid. We verify the certificate separately in
SSL_CTX_set_verify (ssl_ctx, ssl_check_server_identity, which provides much better diagnostics
opt.check_cert ? SSL_VERIFY_PEER : SSL_VERIFY_NONE, NULL); than examining the error stack after a failed SSL_connect. */
SSL_CTX_set_verify (ssl_ctx, SSL_VERIFY_NONE, NULL);
if (opt.cert_file) if (opt.cert_file)
if (SSL_CTX_use_certificate_file (ssl_ctx, opt.cert_file, if (SSL_CTX_use_certificate_file (ssl_ctx, opt.cert_file,
@ -307,10 +308,11 @@ openssl_close (int fd, void *ctx)
DEBUGP (("Closed %d/SSL 0x%0lx\n", fd, (unsigned long) ssl)); DEBUGP (("Closed %d/SSL 0x%0lx\n", fd, (unsigned long) ssl));
} }
/* Sets up a SSL structure and performs the handshake on fd. The /* Perform the SSL handshake on file descriptor FD, which is assumed
resulting SSL structure is registered with the file descriptor FD to be connected to an SSL server. The SSL handle provided by
using fd_register_transport. That way subsequent calls to xread, OpenSSL is registered with the file descriptor FD using
xwrite, etc., will use the appropriate SSL functions. fd_register_transport, so that subsequent calls to fd_read,
fd_write, etc., will use the corresponding SSL functions.
Returns 1 on success, 0 on failure. */ Returns 1 on success, 0 on failure. */
@ -329,10 +331,8 @@ ssl_connect (int fd)
if (SSL_connect (ssl) <= 0 || ssl->state != SSL_ST_OK) if (SSL_connect (ssl) <= 0 || ssl->state != SSL_ST_OK)
goto error; goto error;
/* Register FD with Wget's transport layer, i.e. arrange that /* Register FD with Wget's transport layer, i.e. arrange that our
SSL-enabled functions are used for reading, writing, and polling. functions are used for reading, writing, and polling. */
That way the rest of Wget can keep using fd_read, fd_write, and
friends and not care what happens underneath. */
fd_register_transport (fd, openssl_read, openssl_write, openssl_poll, fd_register_transport (fd, openssl_read, openssl_write, openssl_poll,
openssl_peek, openssl_close, ssl); openssl_peek, openssl_close, ssl);
DEBUGP (("Connected %d to SSL 0x%0*lx\n", fd, 2 * sizeof (void *), DEBUGP (("Connected %d to SSL 0x%0*lx\n", fd, 2 * sizeof (void *),
@ -394,7 +394,7 @@ pattern_match (const char *pattern, const char *string)
int int
ssl_check_server_identity (int fd, const char *host) ssl_check_server_identity (int fd, const char *host)
{ {
X509 *peer_cert = NULL; X509 *peer_cert;
char peer_CN[256]; char peer_CN[256];
long vresult; long vresult;
int retval; int retval;