/**
* Set a socket to "IPv6 only". If the given socket doesn't belong to the
* AF_INET6 family, or the operating system doesn't support this functionality,
- * this function retruns silently.
+ * this function returns silently.
*
* @param af Address family of the socket.
* @param sock Socket handle.
* the result is a valid IRC message (oversized messages are shortened, for
* example). Then it calls the Conn_Write() function to do the actual sending.
*
- * @param Idx Index fo the connection.
+ * @param Idx Index of the connection.
* @param Format Format string, see printf().
* @returns true on success, false otherwise.
*/
} /* Conn_CountMax */
/**
- * Get number of connections accepted since the daemon startet.
+ * Get number of connections accepted since the daemon started.
*
* @returns Number of connections accepted.
*/
* a 1:1 mapping today) and enlarge the "connection pool" accordingly.
*
* @param Sock Socket handle.
- * @returns Connecion index or NONE when the pool is too small.
+ * @returns Connection index or NONE when the pool is too small.
*/
static CONN_ID
Socket2Index( int Sock )
/**
* IO callback for new outgoing SSL-enabled server connections.
*
+ * IMPORTANT: The SSL session has been validated before, but all errors have
+ * been ignored so far! The reason for this is that the generic SSL code has no
+ * idea if the new session actually belongs to a server, as this only becomes
+ * clear when the remote peer sends its PASS command (and we have to handle
+ * invalid client certificates!). Therefore, it is important to check the
+ * status of the SSL session first before continuing the server handshake here!
+ *
* @param sock Socket descriptor.
* @param unused (ignored IO specification)
*/
cb_connserver_login_ssl(int sock, short unused)
{
CONN_ID idx = Socket2Index(sock);
+ int serveridx;
(void) unused;
return;
}
+ serveridx = Conf_GetServer(idx);
+ assert(serveridx >= 0);
+ if (serveridx < 0)
+ goto err;
+
Log( LOG_INFO, "SSL connection %d with \"%s:%d\" established.", idx,
My_Connections[idx].host, Conf_Server[Conf_GetServer( idx )].port );
+ if (!Conn_OPTION_ISSET(&My_Connections[idx], CONN_SSL_PEERCERT_OK)) {
+ if (Conf_Server[serveridx].SSLVerify) {
+ Log(LOG_ERR,
+ "SSLVerify enabled for %d, but peer certificate check failed",
+ idx);
+ goto err;
+ }
+ Log(LOG_WARNING,
+ "Peer certificate check failed for %d, but SSLVerify is disabled, continuing",
+ idx);
+ }
server_login(idx);
+ return;
+ err:
+ Log(LOG_ERR, "SSL connection on socket %d failed!", sock);
+ Conn_Close(idx, "Can't connect!", NULL, false);
}