S2S-TLS: Verify the TLS certificates by default

[ngircd.git] / src / ngircd / conf.c

diff --git a/src/ngircd/conf.c b/src/ngircd/conf.c
index 534a63060bd37be07c8ad89f2b9795ac055baa83..441b8f6786f6780451e3fec9f62052792d533eaf 100644 (file)
--- a/src/ngircd/conf.c
+++ b/src/ngircd/conf.c
@@ -113,6 +113,12 @@ ConfSSL_Init(void)
        free(Conf_SSLOptions.CertFile);
        Conf_SSLOptions.CertFile = NULL;
 
+       free(Conf_SSLOptions.CAFile);
+       Conf_SSLOptions.CAFile = NULL;
+
+       free(Conf_SSLOptions.CRLFile);
+       Conf_SSLOptions.CRLFile = NULL;
+
        free(Conf_SSLOptions.DHFile);
        Conf_SSLOptions.DHFile = NULL;
        array_free_wipe(&Conf_SSLOptions.KeyFilePassword);
@@ -436,10 +442,14 @@ Conf_Test( void )
 
 #ifdef SSL_SUPPORT
        puts("[SSL]");
+       printf("  CAFile = %s\n", Conf_SSLOptions.CAFile
+                                       ? Conf_SSLOptions.CAFile : "");
        printf("  CertFile = %s\n", Conf_SSLOptions.CertFile
                                        ? Conf_SSLOptions.CertFile : "");
        printf("  CipherList = %s\n", Conf_SSLOptions.CipherList ?
               Conf_SSLOptions.CipherList : DEFAULT_CIPHERS);
+       printf("  CRLFile = %s\n", Conf_SSLOptions.CRLFile
+                                       ? Conf_SSLOptions.CRLFile : "");
        printf("  DHFile = %s\n", Conf_SSLOptions.DHFile
                                        ? Conf_SSLOptions.DHFile : "");
        printf("  KeyFile = %s\n", Conf_SSLOptions.KeyFile
@@ -465,7 +475,10 @@ Conf_Test( void )
                printf( "  Host = %s\n", Conf_Server[i].host );
                printf( "  Port = %u\n", (unsigned int)Conf_Server[i].port );
 #ifdef SSL_SUPPORT
-               printf( "  SSLConnect = %s\n", yesno_to_str(Conf_Server[i].SSLConnect));
+               printf("  SSLConnect = %s\n",
+                      yesno_to_str(Conf_Server[i].SSLConnect));
+               printf("  SSLVerify = %s\n",
+                      yesno_to_str(Conf_Server[i].SSLVerify));
 #endif
                printf( "  MyPassword = %s\n", Conf_Server[i].pwd_in );
                printf( "  PeerPassword = %s\n", Conf_Server[i].pwd_out );
@@ -1797,6 +1810,16 @@ Handle_SSL(const char *File, int Line, char *Var, char *Arg)
                Conf_SSLOptions.CipherList = strdup_warn(Arg);
                return;
        }
+       if (strcasecmp(Var, "CAFile") == 0) {
+               assert(Conf_SSLOptions.CAFile == NULL);
+               Conf_SSLOptions.CAFile = strdup_warn(Arg);
+               return;
+       }
+       if (strcasecmp(Var, "CRLFile") == 0) {
+               assert(Conf_SSLOptions.CRLFile == NULL);
+               Conf_SSLOptions.CRLFile = strdup_warn(Arg);
+               return;
+       }
 
        Config_Error_Section(File, Line, Var, "SSL");
 }
@@ -1927,7 +1950,11 @@ Handle_SERVER(const char *File, int Line, char *Var, char *Arg )
        if( strcasecmp( Var, "SSLConnect" ) == 0 ) {
                New_Server.SSLConnect = Check_ArgIsTrue(Arg);
                return;
-        }
+       }
+       if (strcasecmp(Var, "SSLVerify") == 0) {
+               New_Server.SSLVerify = Check_ArgIsTrue(Arg);
+               return;
+       }
 #endif
        if( strcasecmp( Var, "Group" ) == 0 ) {
                /* Server group */
@@ -2311,6 +2338,11 @@ Init_Server_Struct( CONF_SERVER *Server )
        Proc_InitStruct(&Server->res_stat);
        Server->conn_id = NONE;
        memset(&Server->bind_addr, 0, sizeof(Server->bind_addr));
+
+#ifdef SSL_SUPPORT
+       /* Verify SSL connections by default! */
+       Server->SSLVerify = true;
+#endif
 }
 
 /* -eof- */