/**
* IO callback for new outgoing SSL-enabled server connections.
*
+ * IMPORTANT: The SSL session has been validated before, but all errors have
+ * been ignored so far! The reason for this is that the generic SSL code has no
+ * idea if the new session actually belongs to a server, as this only becomes
+ * clear when the remote peer sends its PASS command (and we have to handle
+ * invalid client certificates!). Therefore, it is important to check the
+ * status of the SSL session first before continuing the server handshake here!
+ *
* @param sock Socket descriptor.
* @param unused (ignored IO specification)
*/
cb_connserver_login_ssl(int sock, short unused)
{
CONN_ID idx = Socket2Index(sock);
+ int serveridx;
(void) unused;
return;
}
+ serveridx = Conf_GetServer(idx);
+ assert(serveridx >= 0);
+ if (serveridx < 0)
+ goto err;
+
Log( LOG_INFO, "SSL connection %d with \"%s:%d\" established.", idx,
My_Connections[idx].host, Conf_Server[Conf_GetServer( idx )].port );
+ if (!Conn_OPTION_ISSET(&My_Connections[idx], CONN_SSL_PEERCERT_OK)) {
+ if (Conf_Server[serveridx].SSLVerify) {
+ Log(LOG_ERR,
+ "SSLVerify enabled for %d, but peer certificate check failed",
+ idx);
+ goto err;
+ }
+ Log(LOG_WARNING,
+ "Peer certificate check failed for %d, but SSLVerify is disabled, continuing",
+ idx);
+ }
server_login(idx);
+ return;
+ err:
+ Log(LOG_ERR, "SSL connection on socket %d failed!", sock);
+ Conn_Close(idx, "Can't connect!", NULL, false);
}