192
193
194
195
196
197
198
199
200
201
202
203
204
205
|
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
|
+
+
|
** Return the number of errors.
*/
int ssl_open(void){
X509 *cert;
int hasSavedCertificate = 0;
int trusted = 0;
char *connStr ;
unsigned long e;
ssl_global_init();
/* Get certificate for current server from global config and
* (if we have it in config) add it to certificate store.
*/
cert = ssl_get_certificate(&trusted);
if ( cert!=NULL ){
|
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
|
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
|
-
+
|
if ( cert==NULL ){
ssl_set_errmsg("No SSL certificate was presented by the peer");
ssl_close();
return 1;
}
if( trusted<=0 && SSL_get_verify_result(ssl) != X509_V_OK ){
if( trusted<=0 && (e = SSL_get_verify_result(ssl)) != X509_V_OK ){
char *desc, *prompt;
char *warning = "";
Blob ans;
BIO *mem;
unsigned char md[32];
unsigned int mdLength = 31;
|
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
|
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
|
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
|
BIO_write(mem, "", 1); /* nul-terminate mem buffer */
BIO_get_mem_data(mem, &desc);
if( hasSavedCertificate ){
warning = "WARNING: Certificate doesn't match the "
"saved certificate for this host!";
}
prompt = mprintf(
"\nUnknown SSL certificate:\n\n%s\n\n%s\n"
"Either:\n"
" * verify the certificate is correct using the SHA1 fingerprint above\n"
" * use the global ssl-ca-location setting to specify your CA root\n"
" certificates list\n\n"
"If you are not expecting this message, answer no and "
"contact your server\nadministrator.\n\n"
"Accept certificate [a=always/y/N]? ", desc, warning);
prompt = mprintf("\nSSL verification failed: %s\n"
"Certificate received: \n\n%s\n\n%s\n"
"Either:\n"
" * verify the certificate is correct using the "
"SHA1 fingerprint above\n"
" * use the global ssl-ca-location setting to specify your CA root\n"
" certificates list\n\n"
"If you are not expecting this message, answer no and "
"contact your server\nadministrator.\n\n"
"Accept certificate for host %s [a=always/y/N]? ",
X509_verify_cert_error_string(e), desc, warning,
g.urlName);
BIO_free(mem);
prompt_user(prompt, &ans);
free(prompt);
if( blob_str(&ans)[0]!='y' && blob_str(&ans)[0]!='a' ) {
X509_free(cert);
ssl_set_errmsg("SSL certificate declined");
|