static int
Verify_openssl(int preverify_ok, X509_STORE_CTX * ctx)
{
- int err;
-
+#ifdef DEBUG
if (!preverify_ok) {
- err = X509_STORE_CTX_get_error(ctx);
- Log(LOG_ERR, "Certificate validation failed: %s",
- X509_verify_cert_error_string(err));
+ int err = X509_STORE_CTX_get_error(ctx);
+ LogDebug("Certificate validation failed: %s",
+ X509_verify_cert_error_string(err));
}
- return preverify_ok;
+#else
+ (void)preverify_ok;
+ (void)ctx;
+#endif
+
+ /* Always(!) return success as we have to deal with invalid
+ * (self-signed, expired, ...) client certificates and with invalid
+ * server certificates when "SSLVerify" is disabled, which we don't
+ * know at this stage. Therefore we postpone this check, it will be
+ * (and has to be!) handled in cb_connserver_login_ssl(). */
+ return 1;
}
#endif
/**
* IO callback for new outgoing SSL-enabled server connections.
*
+ * IMPORTANT: The SSL session has been validated before, but all errors have
+ * been ignored so far! The reason for this is that the generic SSL code has no
+ * idea if the new session actually belongs to a server, as this only becomes
+ * clear when the remote peer sends its PASS command (and we have to handle
+ * invalid client certificates!). Therefore, it is important to check the
+ * status of the SSL session first before continuing the server handshake here!
+ *
* @param sock Socket descriptor.
* @param unused (ignored IO specification)
*/