From 4af77916e462afe123cd57d4ca24165c9c78e72c Mon Sep 17 00:00:00 2001 From: "nelsonb%netscape.com" Date: Fri, 9 Nov 2001 05:45:21 +0000 Subject: Added a new -o option, to override check on received client auth certs, forcing those certs to be OK. -v will now test the SSL_LocalCertificate() function. Bug 78959. --- security/nss/cmd/selfserv/selfserv.c | 34 +++++++++++++++++++++++++++++----- 1 file changed, 29 insertions(+), 5 deletions(-) (limited to 'security/nss/cmd/selfserv') diff --git a/security/nss/cmd/selfserv/selfserv.c b/security/nss/cmd/selfserv/selfserv.c index faed1768a..cfb978c1e 100644 --- a/security/nss/cmd/selfserv/selfserv.c +++ b/security/nss/cmd/selfserv/selfserv.c @@ -318,7 +318,9 @@ printSecurityInfo(PRFileDesc *fd) } } if (requestCert) - cert = SSL_RevealCert(fd); + cert = SSL_PeerCertificate(fd); + else + cert = SSL_LocalCertificate(fd); if (cert) { char * ip = CERT_NameToAscii(&cert->issuer); char * sp = CERT_NameToAscii(&cert->subject); @@ -336,6 +338,19 @@ printSecurityInfo(PRFileDesc *fd) FLUSH; } +static int MakeCertOK; + +static SECStatus +myBadCertHandler( void *arg, PRFileDesc *fd) +{ + int err = PR_GetError(); + if (!MakeCertOK) + fprintf(stderr, + "selfserv: -- SSL: Client Certificate Invalid, err %d.\n%s\n", + err, SECU_Strerror(err)); + return (MakeCertOK ? SECSuccess : SECFailure); +} + /************************************************************************** ** Begin thread management routines and data. **************************************************************************/ @@ -1191,6 +1206,10 @@ server_main( } } } + + if (MakeCertOK) + SSL_BadCertHook(model_sock, myBadCertHandler, NULL); + /* end of ssl configuration. */ @@ -1353,7 +1372,10 @@ main(int argc, char **argv) PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1); - optstate = PL_CreateOptState(argc, argv, "2:3DM:RTc:d:p:mn:hi:f:rt:vw:xl"); + /* please keep this list of options in ASCII collating sequence. + ** numbers, then capital letters, then lower case, alphabetical. + */ + optstate = PL_CreateOptState(argc, argv, "2:3DM:RTc:d:f:hi:lmn:op:rt:vw:x"); while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) { ++optionsFound; switch(optstate->option) { @@ -1363,8 +1385,6 @@ main(int argc, char **argv) case 'D': noDelay = PR_TRUE; break; - case 'l': useLocalThreads = PR_TRUE; break; - case 'M': maxProcs = PORT_Atoi(optstate->value); if (maxProcs < 1) maxProcs = 1; @@ -1383,11 +1403,15 @@ main(int argc, char **argv) case 'h': Usage(progName); exit(0); break; + case 'i': pidFile = optstate->value; break; + + case 'l': useLocalThreads = PR_TRUE; break; + case 'm': useModelSocket = PR_TRUE; break; case 'n': nickName = strdup(optstate->value); break; - case 'i': pidFile = optstate->value; break; + case 'o': MakeCertOK = 1; break; case 'p': port = PORT_Atoi(optstate->value); break; -- cgit v1.2.1