diff options
author | Timotej S <6674623+underhood@users.noreply.github.com> | 2021-10-04 08:52:35 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-10-04 08:52:35 +0200 |
commit | 9d483133cd08007011a74b8ac59148c1855b6bcd (patch) | |
tree | a5373437ee0bf1571ec89debf5302cc024bd451c /aclk/https_client.c | |
parent | a3b29a1582f47dca6ca683534a93ec8833c24115 (diff) |
fix https client (#11608)
- do full chain check in env
Diffstat (limited to 'aclk/https_client.c')
-rw-r--r-- | aclk/https_client.c | 35 |
1 files changed, 35 insertions, 0 deletions
diff --git a/aclk/https_client.c b/aclk/https_client.c index a89345a1f1..f4c1d2e522 100644 --- a/aclk/https_client.c +++ b/aclk/https_client.c @@ -421,6 +421,35 @@ err_exit: return rc; } +static int cert_verify_callback(int preverify_ok, X509_STORE_CTX *ctx) +{ + X509 *err_cert; + int err, depth; + char *err_str; + + if (!preverify_ok) { + err = X509_STORE_CTX_get_error(ctx); + depth = X509_STORE_CTX_get_error_depth(ctx); + err_cert = X509_STORE_CTX_get_current_cert(ctx); + err_str = X509_NAME_oneline(X509_get_subject_name(err_cert), NULL, 0); + + error("Cert Chain verify error:num=%d:%s:depth=%d:%s", err, + X509_verify_cert_error_string(err), depth, err_str); + + free(err_str); + } + +#ifdef ACLK_SSL_ALLOW_SELF_SIGNED + if (!preverify_ok && err == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) + { + preverify_ok = 1; + error("Self Signed Certificate Accepted as the agent was built with ACLK_SSL_ALLOW_SELF_SIGNED"); + } +#endif + + return preverify_ok; +} + int https_request(https_req_t *request, https_req_response_t *response) { int rc = 1, ret; char connect_port_str[PORT_STR_MAX_BYTES]; @@ -480,6 +509,12 @@ int https_request(https_req_t *request, https_req_response_t *response) { goto exit_sock; } + if (!SSL_CTX_set_default_verify_paths(ctx->ssl_ctx)) { + error("Error setting default verify paths"); + goto exit_CTX; + } + SSL_CTX_set_verify(ctx->ssl_ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, cert_verify_callback); + ctx->ssl = SSL_new(ctx->ssl_ctx); if (ctx->ssl==NULL) { error("Cannot allocate SSL"); |