diff options
author | Felix Fietkau <nbd@openwrt.org> | 2014-03-15 16:01:06 +0100 |
---|---|---|
committer | Felix Fietkau <nbd@openwrt.org> | 2014-03-15 16:01:09 +0100 |
commit | 5bdc435399643c5526aafbeddc1dd905dffe4399 (patch) | |
tree | 28e39b4f1f65c7a38508994f66c3aeb144c6145a | |
parent | f19b2ec17f0c3d663a5f349de07b12af40016902 (diff) | |
download | ustream-ssl-5bdc435399643c5526aafbeddc1dd905dffe4399.tar.gz |
polarssl: enable client side ssl verification if a certificate was loaded
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
-rw-r--r-- | ustream-polarssl.c | 15 | ||||
-rw-r--r-- | ustream-polarssl.h | 1 |
2 files changed, 9 insertions, 7 deletions
diff --git a/ustream-polarssl.c b/ustream-polarssl.c index c0147ed..8516d7f 100644 --- a/ustream-polarssl.c +++ b/ustream-polarssl.c @@ -95,6 +95,7 @@ __ustream_ssl_context_new(bool server) if (!ctx) return NULL; + ctx->auth = SSL_VERIFY_NONE; ctx->server = server; #ifdef USE_VERSION_1_3 pk_init(&ctx->key); @@ -117,6 +118,9 @@ __hidden int __ustream_ssl_set_crt_file(struct ustream_ssl_ctx *ctx, const char if (ret) return -1; + if (!ctx->server) + ctx->auth = SSL_VERIFY_OPTIONAL; + return 0; } @@ -256,7 +260,7 @@ static const int default_ciphersuites[] = __hidden void *__ustream_ssl_session_new(struct ustream_ssl_ctx *ctx) { ssl_context *ssl; - int ep, auth; + int ep; ssl = calloc(1, sizeof(ssl_context)); if (!ssl) @@ -267,17 +271,14 @@ __hidden void *__ustream_ssl_session_new(struct ustream_ssl_ctx *ctx) return NULL; } - if (ctx->server) { + if (ctx->server) ep = SSL_IS_SERVER; - auth = SSL_VERIFY_NONE; - } else { + else ep = SSL_IS_CLIENT; - auth = SSL_VERIFY_OPTIONAL; - } ssl_set_ciphersuites(ssl, default_ciphersuites); ssl_set_endpoint(ssl, ep); - ssl_set_authmode(ssl, auth); + ssl_set_authmode(ssl, ctx->auth); ssl_set_rng(ssl, _urandom, NULL); if (ctx->server) { diff --git a/ustream-polarssl.h b/ustream-polarssl.h index 70e8b42..1da2ff6 100644 --- a/ustream-polarssl.h +++ b/ustream-polarssl.h @@ -40,6 +40,7 @@ struct ustream_ssl_ctx { rsa_context key; #endif x509_crt cert; + int auth; bool server; }; |