[PERDITION-USERS] [PATCH 3 of 3] avoid loading CAs for any SSL_CTX that has no plans to verify them

# HG changeset patch # User dkg(a)fifthhorseman.net # Date 1391753406 18000 # Fri Feb 07 01:10:06 2014 -0500 # Node ID 179fcc9a4fb8a4c6b207304db6e2c153388ce2b9 # Parent 3452ac3cefa062be1f3f9191e4ea13c9c6b38ef3 avoid loading CAs for any SSL_CTX that has no plans to verify them Prior to this change, a set of trusted CAs (a "root store") was loaded for incoming connections that had no plans to verify the client certs, though the same root store was not loaded for outbound connections that had no intent to verify certs. With this change, the checks are treated symmetrically. Note also that this change actually changes the meaning of ssl_no_cert_verify for incoming (PERDITION_SSL_SERVER) connections: Before this change, ssl_no_cert_verify would affect incoming connections, despite being documented as a setting for outbound connections. With this change, ssl_no_cert_verify should not have any affect on incoming connections. diff -r 3452ac3cefa0 -r 179fcc9a4fb8 perdition/ssl.c --- a/perdition/ssl.c Fri Feb 07 00:57:22 2014 -0500 +++ b/perdition/ssl.c Fri Feb 07 01:10:06 2014 -0500 @@ -583,8 +583,10 @@ } if ((flag & PERDITION_SSL_CLIENT && opt.ssl_no_cert_verify) || - (flag & PERDITION_SSL_SERVER && opt.ssl_no_client_cert_verify)) + (flag & PERDITION_SSL_SERVER && opt.ssl_no_client_cert_verify)) { + SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_NONE, NULL); goto out; + } /* * Load the Certificate Authorities @@ -607,11 +609,7 @@ } SSL_CTX_set_verify_depth(ssl_ctx, opt.ssl_cert_verify_depth + 1); - if (flag & PERDITION_SSL_SERVER && - (opt.ssl_no_cert_verify || opt.ssl_no_client_cert_verify)) - mode = SSL_VERIFY_NONE; - else - mode = SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE; + mode = SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE; SSL_CTX_set_verify(ssl_ctx, mode, __perdition_verify_callback); /* NB: We do not need to call SSL_CTX_check_private_key()