diff options
| author | 2025-11-02 20:45:34 +0000 | |
|---|---|---|
| committer | 2025-11-02 21:28:32 +0000 | |
| commit | b52b65ca0c55bd3f1f2b1452d830d38700146ce9 (patch) | |
| tree | 9010492ab24d38efcf10d2928f1b646958ec2a36 /src/modules | |
| parent | Fix an if that should be an else if in sslinfo. (diff) | |
Improve the way client certificates are validated in ssl_openssl.
Diffstat (limited to 'src/modules')
| -rw-r--r-- | src/modules/extra/m_ssl_openssl.cpp | 33 |
1 files changed, 23 insertions, 10 deletions
diff --git a/src/modules/extra/m_ssl_openssl.cpp b/src/modules/extra/m_ssl_openssl.cpp index bbdb426f5..5a85f3586 100644 --- a/src/modules/extra/m_ssl_openssl.cpp +++ b/src/modules/extra/m_ssl_openssl.cpp @@ -62,7 +62,6 @@ # define INSPIRCD_OPENSSL_AUTO_DH #endif -static bool SelfSigned = false; static int exdataindex; static Module* thismod; @@ -537,10 +536,6 @@ static int OnVerify(int preverify_ok, X509_STORE_CTX* ctx) * we can just return preverify_ok here, and openssl * will boot off self-signed and invalid peer certs. */ - int ve = X509_STORE_CTX_get_error(ctx); - - SelfSigned = (ve == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT); - return 1; } @@ -624,18 +619,36 @@ private: return; } - certinfo->invalid = (SSL_get_verify_result(sess) != X509_V_OK); + const auto verify = SSL_get_verify_result(sess); - if (!SelfSigned) + auto selfsigned = false; + switch (verify) { - certinfo->unknownsigner = false; - certinfo->trusted = true; + case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: + case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: + case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: + selfsigned = true; + [[fallthrough]]; + + case X509_V_OK: + certinfo->invalid = false; + break; + + default: + certinfo->invalid = true; + break; } - else + + if (selfsigned) { certinfo->unknownsigner = true; certinfo->trusted = false; } + else + { + certinfo->unknownsigner = false; + certinfo->trusted = true; + } GetDNString(X509_get_subject_name(cert), certinfo->dn); GetDNString(X509_get_issuer_name(cert), certinfo->issuer); |
