TLSClient: do certification verification with old gnutls
The automatic verification for the server certificate with gnutls_certificate_set_verify_function does only work with gnutls >=2.9.10. So with older versions we should call the verify function manually after the gnutls handshake. Signed-off-by: Paul Beckingham <paul@beckingham.net>
This commit is contained in:
Alexander Sulfrian
committed by
Paul Beckingham
Paul Beckingham
parent
5774c31dfd
commit
88b94ac2fc
1
AUTHORS
1
AUTHORS
@@ -101,6 +101,7 @@ The following submitted code, packages or analysis, and deserve special thanks:
|
|||||||
Marton Suranyi
|
Marton Suranyi
|
||||||
Nicolas Appriou
|
Nicolas Appriou
|
||||||
Jochen Sprickerhof
|
Jochen Sprickerhof
|
||||||
|
Alexander Sulfrian
|
||||||
|
|
||||||
Thanks to the following, who submitted detailed bug reports and excellent
|
Thanks to the following, who submitted detailed bug reports and excellent
|
||||||
suggestions:
|
suggestions:
|
||||||
|
|||||||
@@ -45,6 +45,8 @@ Bugs
|
|||||||
- #1473 Make TASK_RCDIR customizable (thanks to Elias Probst).
|
- #1473 Make TASK_RCDIR customizable (thanks to Elias Probst).
|
||||||
- #1486 Truncated sentence in task-sync(5) manpage (thanks to Jakub Wilk).
|
- #1486 Truncated sentence in task-sync(5) manpage (thanks to Jakub Wilk).
|
||||||
- #1487 `tasksh` segmentation fault (thanks to Hector Arciga).
|
- #1487 `tasksh` segmentation fault (thanks to Hector Arciga).
|
||||||
|
- Added certificate verification to GnuTLS versions < 2.9.10 (thanks to Alexander
|
||||||
|
Sulfrian)
|
||||||
- Removed debugging code.
|
- Removed debugging code.
|
||||||
|
|
||||||
------ current release ---------------------------
|
------ current release ---------------------------
|
||||||
|
|||||||
@@ -183,6 +183,10 @@ void TLSClient::init (
|
|||||||
throw std::string ("Missing CERT file.");
|
throw std::string ("Missing CERT file.");
|
||||||
|
|
||||||
#if GNUTLS_VERSION_NUMBER >= 0x02090a
|
#if GNUTLS_VERSION_NUMBER >= 0x02090a
|
||||||
|
// The automatic verification for the server certificate with
|
||||||
|
// gnutls_certificate_set_verify_function only works with gnutls
|
||||||
|
// >=2.9.10. So with older versions we should call the verify function
|
||||||
|
// manually after the gnutls handshake.
|
||||||
gnutls_certificate_set_verify_function (_credentials, verify_certificate_callback);
|
gnutls_certificate_set_verify_function (_credentials, verify_certificate_callback);
|
||||||
#endif
|
#endif
|
||||||
gnutls_init (&_session, GNUTLS_CLIENT);
|
gnutls_init (&_session, GNUTLS_CLIENT);
|
||||||
@@ -267,6 +271,16 @@ void TLSClient::connect (const std::string& host, const std::string& port)
|
|||||||
if (ret < 0)
|
if (ret < 0)
|
||||||
throw format (STRING_CMD_SYNC_HANDSHAKE, gnutls_strerror (ret));
|
throw format (STRING_CMD_SYNC_HANDSHAKE, gnutls_strerror (ret));
|
||||||
|
|
||||||
|
#if GNUTLS_VERSION_NUMBER < 0x02090a
|
||||||
|
// The automatic verification for the server certificate with
|
||||||
|
// gnutls_certificate_set_verify_function does only work with gnutls
|
||||||
|
// >=2.9.10. So with older versions we should call the verify function
|
||||||
|
// manually after the gnutls handshake.
|
||||||
|
ret = verify_certificate_callback(_session);
|
||||||
|
if (ret < 0)
|
||||||
|
throw std::string (STRING_TLS_INIT_FAIL);
|
||||||
|
#endif
|
||||||
|
|
||||||
if (_debug)
|
if (_debug)
|
||||||
{
|
{
|
||||||
#if GNUTLS_VERSION_NUMBER >= 0x03010a
|
#if GNUTLS_VERSION_NUMBER >= 0x03010a
|
||||||
|
|||||||
Reference in New Issue
Block a user