From e42acf6ea18cc05e621978c53dbbb294bdb059c7 Mon Sep 17 00:00:00 2001 From: jsing <> Date: Mon, 26 Dec 2016 16:20:58 +0000 Subject: Hook up a certificate verify callback so that we can set user friendly error messages, instead of libssl error strings. This gives us messages like: certificate verification failed: certificate has expired Instead of: 14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed This also lets us always enable peer verification since the no verification case is now handled via the callback. Tested by tedu@ ok beck@ --- src/lib/libtls/tls_client.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) (limited to 'src/lib/libtls/tls_client.c') diff --git a/src/lib/libtls/tls_client.c b/src/lib/libtls/tls_client.c index 84f4e91740..18e1667eed 100644 --- a/src/lib/libtls/tls_client.c +++ b/src/lib/libtls/tls_client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_client.c,v 1.37 2016/11/02 15:18:42 beck Exp $ */ +/* $OpenBSD: tls_client.c,v 1.38 2016/12/26 16:20:58 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -195,9 +195,7 @@ tls_connect_common(struct tls *ctx, const char *servername) } } - if (ctx->config->verify_cert && - (tls_configure_ssl_verify(ctx, ctx->ssl_ctx, - SSL_VERIFY_PEER) == -1)) + if (tls_configure_ssl_verify(ctx, ctx->ssl_ctx, SSL_VERIFY_PEER) == -1) goto err; if (SSL_CTX_set_tlsext_status_cb(ctx->ssl_ctx, tls_ocsp_verify_cb) != 1) { -- cgit v1.2.3-55-g6feb