Changeset 200e151 for lib


Ignore:
Timestamp:
2011-12-23T22:40:17Z (8 years ago)
Author:
Wilmer van der Gaast <wilmer@…>
Branches:
master
Children:
5513f3e
Parents:
792a93b
Message:

tls_verify correction: Don't fail cert verification in non-GnuTLS modules
unless "cafile" setting is enabled.

Location:
lib
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • lib/ssl_client.h

    r792a93b r200e151  
    3737/* Some generic error codes. Especially SSL_AGAIN is important if you
    3838   want to do asynchronous I/O. */
    39 #define NSS_VERIFY_ERROR -2
    40 #define OPENSSL_VERIFY_ERROR -1
    4139#define SSL_OK            0
    4240#define SSL_NOHANDSHAKE   1
  • lib/ssl_nss.c

    r792a93b r200e151  
    140140        conn->func = func;
    141141        conn->data = data;
    142         conn->verify = verify;
     142        conn->verify = verify && global.conf->cafile;
    143143
    144144        /* This function should be called via a (short) timeout instead of
     
    160160        struct scd *conn = data;
    161161       
    162         /* Right now we don't have any verification functionality for nss so we
    163            fail in case verification has been requested by the user. */
     162        /* Right now we don't have any verification functionality for NSS. */
    164163
    165164        if( conn->verify )
    166165        {
    167                 conn->func( conn->data, NSS_VERIFY_ERROR, NULL, cond );
     166                conn->func( conn->data, 1, NULL, cond );
    168167                if( source >= 0 ) closesocket( source );
    169168                g_free( conn );
  • lib/ssl_openssl.c

    r792a93b r200e151  
    9191        conn->data = data;
    9292        conn->inpa = -1;
    93         conn->verify = verify;
     93        conn->verify = verify && global.conf->cafile;
    9494       
    9595        /* This function should be called via a (short) timeout instead of
     
    119119        SSL_METHOD *meth;
    120120       
    121         /* Right now we don't have any verification functionality for openssl so we
    122            fail in case verification has been requested by the user. */
     121        /* Right now we don't have any verification functionality for OpenSSL. */
    123122
    124123        if( conn->verify )
    125124        {
    126                 conn->func( conn->data, OPENSSL_VERIFY_ERROR, NULL, cond );
     125                conn->func( conn->data, 1, NULL, cond );
    127126                if( source >= 0 ) closesocket( source );
    128127                g_free( conn );
Note: See TracChangeset for help on using the changeset viewer.