diff options
author | Georgi Kodinov <joro@sun.com> | 2009-10-20 13:09:16 +0300 |
---|---|---|
committer | Georgi Kodinov <joro@sun.com> | 2009-10-20 13:09:16 +0300 |
commit | 90d32d8bc834e0ab662369e989bab3ce431bb107 (patch) | |
tree | ac3f1bd35fb2058219af036e32ba36d306a68eaf /vio | |
parent | f54ac30b5f3f00b0687ada42bb29a21b2a2718a1 (diff) | |
download | mariadb-git-90d32d8bc834e0ab662369e989bab3ce431bb107.tar.gz |
Bug #47320: OpenSSL client does not check YaSSL server certificate
Removed the verify callback, as it's not needed to verify even self
signed certificates and is a security problem.
Diffstat (limited to 'vio')
-rw-r--r-- | vio/viosslfactories.c | 53 |
1 files changed, 2 insertions, 51 deletions
diff --git a/vio/viosslfactories.c b/vio/viosslfactories.c index 1ac5d96d158..6fea8e85a47 100644 --- a/vio/viosslfactories.c +++ b/vio/viosslfactories.c @@ -123,55 +123,6 @@ vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file) } -static int -vio_verify_callback(int ok, X509_STORE_CTX *ctx) -{ - char buf[256]; - X509* err_cert; - int err,depth; - - DBUG_ENTER("vio_verify_callback"); - DBUG_PRINT("enter", ("ok=%d, ctx=%p", ok, ctx)); - err_cert=X509_STORE_CTX_get_current_cert(ctx); - err= X509_STORE_CTX_get_error(ctx); - depth= X509_STORE_CTX_get_error_depth(ctx); - - X509_NAME_oneline(X509_get_subject_name(err_cert),buf,sizeof(buf)); - if (!ok) - { - DBUG_PRINT("error",("verify error: num: %d : '%s'\n",err, - X509_verify_cert_error_string(err))); - if (verify_depth >= depth) - { - ok=1; - verify_error=X509_V_OK; - } - else - { - verify_error=X509_V_ERR_CERT_CHAIN_TOO_LONG; - } - } - switch (ctx->error) { - case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: - X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert),buf,256); - DBUG_PRINT("info",("issuer= %s\n",buf)); - break; - case X509_V_ERR_CERT_NOT_YET_VALID: - case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: - DBUG_PRINT("error", ("notBefore")); - /*ASN1_TIME_print_fp(stderr,X509_get_notBefore(ctx->current_cert));*/ - break; - case X509_V_ERR_CERT_HAS_EXPIRED: - case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: - DBUG_PRINT("error", ("notAfter error")); - /*ASN1_TIME_print_fp(stderr,X509_get_notAfter(ctx->current_cert));*/ - break; - } - DBUG_PRINT("exit", ("%d", ok)); - DBUG_RETURN(ok); -} - - #ifdef __NETWARE__ /* NetWare SSL cleanup */ @@ -263,7 +214,7 @@ new_VioSSLConnectorFd(const char* key_file, result=SSL_CTX_set_cipher_list(ptr->ssl_context, cipher); DBUG_PRINT("info",("SSL_set_cipher_list() returned %d",result)); } - SSL_CTX_set_verify(ptr->ssl_context, verify, vio_verify_callback); + SSL_CTX_set_verify(ptr->ssl_context, verify, NULL); if (vio_set_cert_stuff(ptr->ssl_context, cert_file, key_file) == -1) { DBUG_PRINT("error", ("vio_set_cert_stuff failed")); @@ -360,7 +311,7 @@ new_VioSSLAcceptorFd(const char *key_file, SSL_CTX_sess_set_cache_size(ptr->ssl_context,128); /* DH? */ - SSL_CTX_set_verify(ptr->ssl_context, verify, vio_verify_callback); + SSL_CTX_set_verify(ptr->ssl_context, verify, NULL); SSL_CTX_set_session_id_context(ptr->ssl_context, (const uchar*) &(ptr->session_id_context), sizeof(ptr->session_id_context)); |