diff options
author | joe <joe@61a7d7f5-40b7-0310-9c16-bb0ea8cb1845> | 2014-09-20 18:57:01 +0000 |
---|---|---|
committer | joe <joe@61a7d7f5-40b7-0310-9c16-bb0ea8cb1845> | 2014-09-20 18:57:01 +0000 |
commit | e650cb1d461f5afb8f360545b18253c68fa2548e (patch) | |
tree | dd9ec448db3feea7370ac361c190a3906886b6ce /src | |
parent | a842c6c6cdf7103d88d652c34caae4acc5c7602b (diff) | |
download | neon-e650cb1d461f5afb8f360545b18253c68fa2548e.tar.gz |
* src/ne_openssl.c (ne__negotiate_ssl): Don't fail hard for SSL cert
change, invoke verify callback.
git-svn-id: http://svn.webdav.org/repos/projects/neon/trunk@1938 61a7d7f5-40b7-0310-9c16-bb0ea8cb1845
Diffstat (limited to 'src')
-rw-r--r-- | src/ne_openssl.c | 13 |
1 files changed, 3 insertions, 10 deletions
diff --git a/src/ne_openssl.c b/src/ne_openssl.c index f8350fa..b2bad39 100644 --- a/src/ne_openssl.c +++ b/src/ne_openssl.c @@ -728,17 +728,10 @@ int ne__negotiate_ssl(ne_session *sess) return NE_ERROR; } - if (sess->server_cert) { - int diff = X509_cmp(sk_X509_value(chain, 0), sess->server_cert->subject); + if (sess->server_cert + && X509_cmp(sk_X509_value(chain, 0), sess->server_cert->subject) == 0) { + /* Same leaf cert used as last time - no need to reverify. */ if (freechain) sk_X509_free(chain); /* no longer need the chain */ - if (diff) { - /* This could be a MITM attack: fail the request. */ - ne_set_error(sess, _("Server certificate changed: " - "connection intercepted?")); - return NE_ERROR; - } - /* certificate has already passed verification: no need to - * verify it again. */ } else { /* new connection: create the chain. */ ne_ssl_certificate *cert = make_chain(chain); |