Optionally validate certificates on TLS server links

[ngircd-alex.git] / src / ngircd / irc-server.c

diff --git a/src/ngircd/irc-server.c b/src/ngircd/irc-server.c
index 92186aff7fcdbae8d8a7e5c02f7c177e1d231281..6f64c3b2983d05c77d4b97e6034df0a70537d7e6 100644 (file)
--- a/src/ngircd/irc-server.c
+++ b/src/ngircd/irc-server.c
@@ -97,6 +97,21 @@ IRC_SERVER( CLIENT *Client, REQUEST *Req )
                        return DISCONNECTED;
                }
 
+#ifdef SSL_SUPPORT
+               /*
+                * This check is only done if RequireClientCert is disabled, and this Servers [SERVER] section has
+                * "SSLVerify" enabled.
+                * (if RequireClientCert is set, certificate validation is done during SSL/TLS handshake)
+                */
+               CONN_ID con = Client_Conn (Client);
+               if (Conf_Server[i].SSLVerify && !(Conn_Options(con) & CONN_SSL_PEERCERT_OK)) {
+                       Log(LOG_ERR, "Connection %d: SSLVerify is set, and server \"%s\" did not present a valid certificate",
+                                                                               Client_Conn(Client), Req->argv[0]);
+                       Conn_Close(Client_Conn(Client), NULL, "No valid SSL certificate", true);
+                       return DISCONNECTED;
+               }
+#endif
+
                /* Is there a registered server with this ID? */
                if (!Client_CheckID(Client, Req->argv[0]))
                        return DISCONNECTED;