From: Alexander Barton <alex@barton.de>
Date: Tue, 2 Jan 2024 19:55:15 +0000 (+0100)
Subject: S2S-TLS/OpenSSL: Set the verification flags only once
X-Git-Tag: rel-27-rc1~32
X-Git-Url: https://arthur.barton.de/cgi-bin/gitweb.cgi?p=ngircd-alex.git;a=commitdiff_plain;h=08647ab1e7cf0d034f2d8987a3cac3201af84e02

S2S-TLS/OpenSSL: Set the verification flags only once

Set the verification flags in the ConnSSL_SetVerifyProperties_openssl
function only, don't override them in ConnSSL_InitLibrary() afterwards.

No functional changes, now ConnSSL_SetVerifyProperties_openssl() sets
exactly the parameters which ConnSSL_InitLibrary() always overwrote ...
---

diff --git a/src/ngircd/conn-ssl.c b/src/ngircd/conn-ssl.c
index ce4e27c1..a51f46b2 100644
--- a/src/ngircd/conn-ssl.c
+++ b/src/ngircd/conn-ssl.c
@@ -401,8 +401,6 @@ ConnSSL_InitLibrary( void )
 			    SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 |
 			    SSL_OP_NO_COMPRESSION);
 	SSL_CTX_set_mode(newctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
-	SSL_CTX_set_verify(newctx, SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE,
-			   Verify_openssl);
 	SSL_CTX_free(ssl_ctx);
 	ssl_ctx = newctx;
 	Log(LOG_INFO, "%s initialized.", OpenSSL_version(OPENSSL_VERSION));
@@ -615,7 +613,6 @@ ConnSSL_SetVerifyProperties_openssl(SSL_CTX * ctx)
 {
 	X509_STORE *store = NULL;
 	X509_LOOKUP *lookup;
-	int verify_flags = SSL_VERIFY_PEER;
 	bool ret = false;
 
 	if (!Conf_SSLOptions.CAFile)
@@ -649,7 +646,8 @@ ConnSSL_SetVerifyProperties_openssl(SSL_CTX * ctx)
 		}
 	}
 
-	SSL_CTX_set_verify(ctx, verify_flags, Verify_openssl);
+	SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE,
+			   Verify_openssl);
 	SSL_CTX_set_verify_depth(ctx, MAX_CERT_CHAIN_LENGTH);
 	ret = true;
 out: