diff options
| author | jsing <> | 2016-12-26 16:20:58 +0000 |
|---|---|---|
| committer | jsing <> | 2016-12-26 16:20:58 +0000 |
| commit | e42acf6ea18cc05e621978c53dbbb294bdb059c7 (patch) | |
| tree | fbec04954e27c01c99531c149058fcede14efd69 /src/lib/libtls/tls_client.c | |
| parent | 14b2889eb360f84951861c14bd3a80c2fd701017 (diff) | |
| download | openbsd-e42acf6ea18cc05e621978c53dbbb294bdb059c7.tar.gz openbsd-e42acf6ea18cc05e621978c53dbbb294bdb059c7.tar.bz2 openbsd-e42acf6ea18cc05e621978c53dbbb294bdb059c7.zip | |
Hook up a certificate verify callback so that we can set user friendly
error messages, instead of libssl error strings. This gives us messages
like:
certificate verification failed: certificate has expired
Instead of:
14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
This also lets us always enable peer verification since the no verification
case is now handled via the callback.
Tested by tedu@
ok beck@
Diffstat (limited to 'src/lib/libtls/tls_client.c')
| -rw-r--r-- | src/lib/libtls/tls_client.c | 6 |
1 files changed, 2 insertions, 4 deletions
diff --git a/src/lib/libtls/tls_client.c b/src/lib/libtls/tls_client.c index 84f4e91740..18e1667eed 100644 --- a/src/lib/libtls/tls_client.c +++ b/src/lib/libtls/tls_client.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls_client.c,v 1.37 2016/11/02 15:18:42 beck Exp $ */ | 1 | /* $OpenBSD: tls_client.c,v 1.38 2016/12/26 16:20:58 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> |
| 4 | * | 4 | * |
| @@ -195,9 +195,7 @@ tls_connect_common(struct tls *ctx, const char *servername) | |||
| 195 | } | 195 | } |
| 196 | } | 196 | } |
| 197 | 197 | ||
| 198 | if (ctx->config->verify_cert && | 198 | if (tls_configure_ssl_verify(ctx, ctx->ssl_ctx, SSL_VERIFY_PEER) == -1) |
| 199 | (tls_configure_ssl_verify(ctx, ctx->ssl_ctx, | ||
| 200 | SSL_VERIFY_PEER) == -1)) | ||
| 201 | goto err; | 199 | goto err; |
| 202 | 200 | ||
| 203 | if (SSL_CTX_set_tlsext_status_cb(ctx->ssl_ctx, tls_ocsp_verify_cb) != 1) { | 201 | if (SSL_CTX_set_tlsext_status_cb(ctx->ssl_ctx, tls_ocsp_verify_cb) != 1) { |