if (!Conf_SSLOptions.CAFile)
return true;
+ x509_cred_slot *slot = array_get(&x509_creds, sizeof(x509_cred_slot), x509_cred_idx);
+ gnutls_certificate_credentials_t x509_cred = slot->x509_cred;
+
err = gnutls_certificate_set_x509_trust_file(x509_cred,
Conf_SSLOptions.CAFile,
GNUTLS_X509_FMT_PEM);
#ifdef HAVE_LIBGNUTLS
int err;
+ (void)s;
err = gnutls_init(&c->ssl_state.gnutls_session, GNUTLS_CLIENT);
if (err) {
Log(LOG_ERR, "Failed to initialize new SSL session: %s",
default:
assert(code < 0);
if (gnutls_error_is_fatal(code)) {
- Log(LOG_ERR, "SSL error: %s [%s].",
- gnutls_strerror(code), fname);
+ /* We don't need to log this here, the generic
+ * connection layer will take care of it. */
+ LogDebug("SSL error: %s [%s].",
+ gnutls_strerror(code), fname);
ConnSSL_Free(c);
return -1;
}
assert(size);
issuer_dn = LogMalloc(size);
if (!issuer_dn) {
- Log(level, "%s: Distinguished Name: %s", msg, dn);
+ Log(level, "%s: Distinguished Name \"%s\".", msg, dn);
free(dn);
return;
}
gnutls_x509_crt_get_issuer_dn(cert, issuer_dn, &size);
- Log(level, "%s: Distinguished Name: \"%s\", Issuer \"%s\"", msg, dn,
+ Log(level, "%s: Distinguished Name \"%s\", Issuer \"%s\".", msg, dn,
issuer_dn);
free(dn);
free(issuer_dn);
* hand we want client certificates, for example for
* "CertFP" authentication with services ... */
LogOpenSSL_CertInfo(LOG_INFO, peer_cert,
- "Got unchecked client certificate");
+ "Got unchecked peer certificate");
}
X509_free(peer_cert);
gnutls_cipher_get_name(cipher),
gnutls_mac_get_name(gnutls_mac_get(sess)));
cred = gnutls_auth_get_type(c->ssl_state.gnutls_session);
- if (cred == GNUTLS_CRD_CERTIFICATE && connect) {
+ if (cred == GNUTLS_CRD_CERTIFICATE) {
cert_seen = true;
- int verify =
- gnutls_certificate_verify_peers2(c->
- ssl_state.gnutls_session,
- &status);
- if (verify < 0) {
- Log(LOG_ERR,
- "gnutls_certificate_verify_peers2 failed: %s",
- gnutls_strerror(verify));
- goto done_cn_validation;
- } else if (status) {
- gnutls_datum_t out;
-
- if (gnutls_certificate_verification_status_print
- (status, gnutls_certificate_type_get(sess), &out,
- 0) == GNUTLS_E_SUCCESS) {
- Log(LOG_ERR,
- "Certificate validation failed: %s",
- out.data);
- gnutls_free(out.data);
- }
- }
gnutls_x509_crt_t cert;
unsigned cert_list_size;
gnutls_strerror(err));
goto done_cn_validation;
}
- err = gnutls_x509_crt_check_hostname(cert, c->host);
- if (err == 0)
- Log(LOG_ERR,
- "Failed to verify the hostname, expected \"%s\"",
- c->host);
- else
- cert_ok = verify == 0 && status == 0;
-
- snprintf(msg, sizeof(msg), "%svalid peer certificate",
- cert_ok ? "" : "in");
- LogGnuTLS_CertInfo(cert_ok ? LOG_DEBUG : LOG_ERR, cert, msg);
+
+ if (connect) {
+ int verify =
+ gnutls_certificate_verify_peers2(c->
+ ssl_state.gnutls_session,
+ &status);
+ if (verify < 0) {
+ Log(LOG_ERR,
+ "gnutls_certificate_verify_peers2 failed: %s",
+ gnutls_strerror(verify));
+ goto done_cn_validation;
+ } else if (status) {
+ gnutls_datum_t out;
+
+ if (gnutls_certificate_verification_status_print
+ (status, gnutls_certificate_type_get(sess), &out,
+ 0) == GNUTLS_E_SUCCESS) {
+ Log(LOG_ERR,
+ "Certificate validation failed: %s",
+ out.data);
+ gnutls_free(out.data);
+ }
+ }
+
+ err = gnutls_x509_crt_check_hostname(cert, c->host);
+ if (err == 0)
+ Log(LOG_ERR,
+ "Failed to verify the hostname, expected \"%s\"",
+ c->host);
+ else
+ cert_ok = verify == 0 && status == 0;
+
+ snprintf(msg, sizeof(msg), "Got %svalid server certificate",
+ cert_ok ? "" : "in");
+ LogGnuTLS_CertInfo(LOG_INFO, cert, msg);
+ } else {
+ /* Incoming connection. Please see comments for OpenSSL! */
+ LogGnuTLS_CertInfo(LOG_INFO, cert,
+ "Got unchecked peer certificate");
+ }
gnutls_x509_crt_deinit(cert);
done_cn_validation: