aboutsummaryrefslogtreecommitdiff
path: root/src/modules
diff options
context:
space:
mode:
authorGravatar Sadie Powell2025-11-02 20:45:34 +0000
committerGravatar Sadie Powell2025-11-02 21:28:32 +0000
commitb52b65ca0c55bd3f1f2b1452d830d38700146ce9 (patch)
tree9010492ab24d38efcf10d2928f1b646958ec2a36 /src/modules
parentFix an if that should be an else if in sslinfo. (diff)
Improve the way client certificates are validated in ssl_openssl.
Diffstat (limited to 'src/modules')
-rw-r--r--src/modules/extra/m_ssl_openssl.cpp33
1 files changed, 23 insertions, 10 deletions
diff --git a/src/modules/extra/m_ssl_openssl.cpp b/src/modules/extra/m_ssl_openssl.cpp
index bbdb426f5..5a85f3586 100644
--- a/src/modules/extra/m_ssl_openssl.cpp
+++ b/src/modules/extra/m_ssl_openssl.cpp
@@ -62,7 +62,6 @@
# define INSPIRCD_OPENSSL_AUTO_DH
#endif
-static bool SelfSigned = false;
static int exdataindex;
static Module* thismod;
@@ -537,10 +536,6 @@ static int OnVerify(int preverify_ok, X509_STORE_CTX* ctx)
* we can just return preverify_ok here, and openssl
* will boot off self-signed and invalid peer certs.
*/
- int ve = X509_STORE_CTX_get_error(ctx);
-
- SelfSigned = (ve == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT);
-
return 1;
}
@@ -624,18 +619,36 @@ private:
return;
}
- certinfo->invalid = (SSL_get_verify_result(sess) != X509_V_OK);
+ const auto verify = SSL_get_verify_result(sess);
- if (!SelfSigned)
+ auto selfsigned = false;
+ switch (verify)
{
- certinfo->unknownsigner = false;
- certinfo->trusted = true;
+ case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
+ case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
+ case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
+ selfsigned = true;
+ [[fallthrough]];
+
+ case X509_V_OK:
+ certinfo->invalid = false;
+ break;
+
+ default:
+ certinfo->invalid = true;
+ break;
}
- else
+
+ if (selfsigned)
{
certinfo->unknownsigner = true;
certinfo->trusted = false;
}
+ else
+ {
+ certinfo->unknownsigner = false;
+ certinfo->trusted = true;
+ }
GetDNString(X509_get_subject_name(cert), certinfo->dn);
GetDNString(X509_get_issuer_name(cert), certinfo->issuer);