* src/ne_openssl.c (ne__negotiate_ssl): Don't fail hard for SSL cert

change, invoke verify callback. git-svn-id: http://svn.webdav.org/repos/projects/neon/trunk@1938 61a7d7f5-40b7-0310-9c16-bb0ea8cb1845
author: joe <joe@61a7d7f5-40b7-0310-9c16-bb0ea8cb1845> 2014-09-20 18:57:01 +0000
committer: joe <joe@61a7d7f5-40b7-0310-9c16-bb0ea8cb1845> 2014-09-20 18:57:01 +0000
commit: e650cb1d461f5afb8f360545b18253c68fa2548e (patch)
tree: dd9ec448db3feea7370ac361c190a3906886b6ce /src
parent: a842c6c6cdf7103d88d652c34caae4acc5c7602b (diff)
download: neon-e650cb1d461f5afb8f360545b18253c68fa2548e.tar.gz
1 files changed, 3 insertions, 10 deletions
diff --git a/src/ne_openssl.c b/src/ne_openssl.c
index f8350fa..b2bad39 100644
--- a/src/ne_openssl.c
+++ b/src/ne_openssl.c
@@ -728,17 +728,10 @@ int ne__negotiate_ssl(ne_session *sess)
 	return NE_ERROR;
     }
 
-    if (sess->server_cert) {
-        int diff = X509_cmp(sk_X509_value(chain, 0), sess->server_cert->subject);
+    if (sess->server_cert 
+        && X509_cmp(sk_X509_value(chain, 0), sess->server_cert->subject) == 0) {
+        /* Same leaf cert used as last time - no need to reverify. */
         if (freechain) sk_X509_free(chain); /* no longer need the chain */
-	if (diff) {
-	    /* This could be a MITM attack: fail the request. */
-	    ne_set_error(sess, _("Server certificate changed: "
-				 "connection intercepted?"));
-	    return NE_ERROR;
-	} 
-	/* certificate has already passed verification: no need to
-	 * verify it again. */
     } else {
 	/* new connection: create the chain. */
         ne_ssl_certificate *cert = make_chain(chain);
author	joe <joe@61a7d7f5-40b7-0310-9c16-bb0ea8cb1845>	2014-09-20 18:57:01 +0000
committer	joe <joe@61a7d7f5-40b7-0310-9c16-bb0ea8cb1845>	2014-09-20 18:57:01 +0000
commit	e650cb1d461f5afb8f360545b18253c68fa2548e (patch)
tree	dd9ec448db3feea7370ac361c190a3906886b6ce /src
parent	a842c6c6cdf7103d88d652c34caae4acc5c7602b (diff)
download	neon-e650cb1d461f5afb8f360545b18253c68fa2548e.tar.gz