From cde990f4aa1c9fdb19f0a703175be7e4af2926ed Mon Sep 17 00:00:00 2001 From: Michael Steinert Date: Tue, 11 Dec 2012 12:42:31 -0700 Subject: Enable SSL hostname verification by default Signed-off-by: Michael Steinert --- .gitignore | 1 + Makefile.am | 3 --- configure.ac | 2 +- librabbitmq/amqp_gnutls.c | 3 ++- librabbitmq/amqp_openssl.c | 2 +- librabbitmq/amqp_polarssl.c | 1 + librabbitmq/amqp_ssl_socket.h | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.gitignore b/.gitignore index a33a375..797169a 100644 --- a/.gitignore +++ b/.gitignore @@ -42,6 +42,7 @@ examples/amqps_producer examples/amqps_sendstring examples/amqps_unbind librabbitmq.pc +test-driver tests/test_parse_url tests/test_tables tools/amqp-consume diff --git a/Makefile.am b/Makefile.am index 3201f7d..d8b4554 100644 --- a/Makefile.am +++ b/Makefile.am @@ -78,9 +78,6 @@ include_HEADERS += librabbitmq/amqp_ssl_socket.h endif if REGENERATE_AMQP_FRAMING -BUILT_SOURCES = \ - $(top_builddir)/librabbitmq/amqp_framing.h \ - $(top_builddir)/librabbitmq/amqp_framing.c if PYTHON3 codegen_py = $(top_builddir)/librabbitmq/python3/codegen3.py diff --git a/configure.ac b/configure.ac index dce2d1b..c4b058b 100644 --- a/configure.ac +++ b/configure.ac @@ -203,5 +203,5 @@ $PACKAGE_NAME build options: SSL/TLS: $with_ssl Tools: $enable_tools Documentation: $enable_docs - Examples: $enable_examples + Examples: $enable_examples ]) diff --git a/librabbitmq/amqp_gnutls.c b/librabbitmq/amqp_gnutls.c index 93273d7..6339281 100644 --- a/librabbitmq/amqp_gnutls.c +++ b/librabbitmq/amqp_gnutls.c @@ -221,6 +221,8 @@ amqp_ssl_socket_new(void) if (GNUTLS_E_SUCCESS != status) { goto error; } + gnutls_certificate_set_verify_function(self->credentials, + amqp_ssl_verify); status = gnutls_credentials_set(self->session, GNUTLS_CRD_CERTIFICATE, self->credentials); if (GNUTLS_E_SUCCESS != status) { @@ -274,7 +276,6 @@ amqp_ssl_socket_set_key(amqp_socket_t *base, if (0 > status) { return -1; } - return 0; } diff --git a/librabbitmq/amqp_openssl.c b/librabbitmq/amqp_openssl.c index c3451ae..7054859 100644 --- a/librabbitmq/amqp_openssl.c +++ b/librabbitmq/amqp_openssl.c @@ -351,7 +351,7 @@ password_cb(AMQP_UNUSED char *buffer, AMQP_UNUSED int rwflag, AMQP_UNUSED void *user_data) { - amqp_abort("don't use password protected keys!"); + amqp_abort("rabbitmq-c does not support password protected keys"); return 0; } diff --git a/librabbitmq/amqp_polarssl.c b/librabbitmq/amqp_polarssl.c index 1c7c9f3..8616df3 100644 --- a/librabbitmq/amqp_polarssl.c +++ b/librabbitmq/amqp_polarssl.c @@ -211,6 +211,7 @@ amqp_ssl_socket_new(void) ssl_set_endpoint(self->ssl, SSL_IS_CLIENT); ssl_set_rng(self->ssl, ctr_drbg_random, self->ctr_drbg); ssl_set_ciphersuites(self->ssl, ssl_default_ciphersuites); + ssl_set_authmode(self->ssl, SSL_VERIFY_REQUIRED); self->session = calloc(1, sizeof(*self->session)); if (!self->session) { goto error; diff --git a/librabbitmq/amqp_ssl_socket.h b/librabbitmq/amqp_ssl_socket.h index 693ea96..c2f40b3 100644 --- a/librabbitmq/amqp_ssl_socket.h +++ b/librabbitmq/amqp_ssl_socket.h @@ -95,7 +95,7 @@ amqp_ssl_socket_set_key_buffer(amqp_socket_t *self, * Enable or disable peer verification. * * If peer verification is enabled then the common name in the server - * certificate must match the server name. Peer verification is disabled by + * certificate must match the server name. Peer verification is enabled by * default. * * \param [in,out] self An SSL/TLS socket object. -- cgit v1.2.1