diff options
Diffstat (limited to 'lib/ssluse.c')
-rw-r--r-- | lib/ssluse.c | 42 |
1 files changed, 40 insertions, 2 deletions
diff --git a/lib/ssluse.c b/lib/ssluse.c index f14ad344e..4fff13d78 100644 --- a/lib/ssluse.c +++ b/lib/ssluse.c @@ -1629,6 +1629,9 @@ static CURLcode servercert(struct connectdata *conn, long lerr; ASN1_TIME *certdate; struct SessionHandle *data = conn->data; + X509 *issuer; + FILE *fp; + connssl->server_cert = SSL_get_peer_certificate(connssl->handle); if(!connssl->server_cert) { if(strict) @@ -1678,6 +1681,41 @@ static CURLcode servercert(struct connectdata *conn, /* We could do all sorts of certificate verification stuff here before deallocating the certificate. */ + /* e.g. match issuer name with provided issuer certificate */ + if (data->set.str[STRING_SSL_ISSUERCERT]) { + if (! (fp=fopen(data->set.str[STRING_SSL_ISSUERCERT],"r"))) { + if (strict) + failf(data, "SSL: Unable to open issuer cert (%s)\n", + data->set.str[STRING_SSL_ISSUERCERT]); + X509_free(connssl->server_cert); + connssl->server_cert = NULL; + return CURLE_SSL_ISSUER_ERROR; + } + issuer = PEM_read_X509(fp,NULL,NULL,NULL); + if (!issuer) { + if (strict) + failf(data, "SSL: Unable to read issuer cert (%s)\n", + data->set.str[STRING_SSL_ISSUERCERT]); + X509_free(connssl->server_cert); + X509_free(issuer); + fclose(fp); + return CURLE_SSL_ISSUER_ERROR; + } + fclose(fp); + if (X509_check_issued(issuer,connssl->server_cert) != X509_V_OK) { + if (strict) + failf(data, "SSL: Certificate issuer check failed (%s)\n", + data->set.str[STRING_SSL_ISSUERCERT]); + X509_free(connssl->server_cert); + X509_free(issuer); + connssl->server_cert = NULL; + return CURLE_SSL_ISSUER_ERROR; + } + infof(data, "\t SSL certificate issuer check ok (%s)\n", + data->set.str[STRING_SSL_ISSUERCERT]); + X509_free(issuer); + } + lerr = data->set.ssl.certverifyresult= SSL_get_verify_result(connssl->handle); if(data->set.ssl.certverifyresult != X509_V_OK) { @@ -1690,12 +1728,12 @@ static CURLcode servercert(struct connectdata *conn, retcode = CURLE_PEER_FAILED_VERIFICATION; } else - infof(data, "SSL certificate verify result: %s (%ld)," + infof(data, "\t SSL certificate verify result: %s (%ld)," " continuing anyway.\n", X509_verify_cert_error_string(lerr), lerr); } else - infof(data, "SSL certificate verify ok.\n"); + infof(data, "\t SSL certificate verify ok.\n"); } X509_free(connssl->server_cert); |