diff options
| author | Carlos Martín Nieto <cmn@elego.de> | 2012-08-28 14:15:32 +0200 | 
|---|---|---|
| committer | Carlos Martín Nieto <cmn@elego.de> | 2012-08-28 15:39:06 +0200 | 
| commit | 0d5dce268d47c4ecfb3f8cdda3379cd606630105 (patch) | |
| tree | 7b6d2c451b13a386056eac726e44bf4e25060288 /src/netops.c | |
| parent | 62eafd0620eff3d7ca3659a3f4a4808488f0b2c3 (diff) | |
| download | libgit2-0d5dce268d47c4ecfb3f8cdda3379cd606630105.tar.gz | |
ssl: make cert check ignore work for invalid certs, not just CNs
Passing SSL_VERIFY_PEER makes OpenSSL shut down the connection if the
certificate is invalid, without giving us a chance to ignore that
error. Pass SSL_VERIFY_NONE and call SSL_get_verify_result if the user
wanted us to check.
When no CNs match, we used to jump to on_error which gave a bogus
error as that's for OpenSSL errors. Jump to cert_fail so we tell the
user that the error came from checking the certificate.
Diffstat (limited to 'src/netops.c')
| -rw-r--r-- | src/netops.c | 8 | 
1 files changed, 6 insertions, 2 deletions
| diff --git a/src/netops.c b/src/netops.c index 49a0308bb..f622e0d10 100644 --- a/src/netops.c +++ b/src/netops.c @@ -238,6 +238,10 @@ static int verify_server_cert(git_transport *t, const char *host)  	void *addr;  	int i = -1,j; +	if (SSL_get_verify_result(t->ssl.ssl) != X509_V_OK) { +		giterr_set(GITERR_SSL, "The SSL certificate is invalid"); +		return -1; +	}  	/* Try to parse the host as an IP address to see if it is */  	if (inet_pton(AF_INET, host, &addr4)) { @@ -286,7 +290,7 @@ static int verify_server_cert(git_transport *t, const char *host)  	GENERAL_NAMES_free(alts);  	if (matched == 0) -		goto on_error; +		goto cert_fail;  	if (matched == 1)  		return 0; @@ -354,7 +358,7 @@ static int ssl_setup(git_transport *t, const char *host)  		return ssl_set_error(&t->ssl, 0);  	SSL_CTX_set_mode(t->ssl.ctx, SSL_MODE_AUTO_RETRY); -	SSL_CTX_set_verify(t->ssl.ctx, SSL_VERIFY_PEER, NULL); +	SSL_CTX_set_verify(t->ssl.ctx, SSL_VERIFY_NONE, NULL);  	if (!SSL_CTX_set_default_verify_paths(t->ssl.ctx))  		return ssl_set_error(&t->ssl, 0); | 
