summaryrefslogtreecommitdiff
path: root/librabbitmq/amqp_openssl.c
diff options
context:
space:
mode:
authorAlan Antonuk <alan.antonuk@gmail.com>2015-10-13 21:32:15 -0700
committerAlan Antonuk <alan.antonuk@gmail.com>2015-10-15 22:22:42 -0700
commit17410d968b890d1545b84debf0f83059f2aabdeb (patch)
tree57c160ac0e94f4067d8becf2d7914f5195a0526d /librabbitmq/amqp_openssl.c
parentba7c342a55e200d1f72b30d74df1591b0f72de49 (diff)
downloadrabbitmq-c-17410d968b890d1545b84debf0f83059f2aabdeb.tar.gz
Lib: separate peer & hostname SSL cert validation
Add amqp_ssl_socket_set_verify_peer which controls peer certificate validation, and amqp_ssl_socket_set_verify_hostname which controls hostname validation in the certificate. Additionally this deprecates amqp_ssl_socket_set_verify. Fixes #180, #279, #303
Diffstat (limited to 'librabbitmq/amqp_openssl.c')
-rw-r--r--librabbitmq/amqp_openssl.c38
1 files changed, 29 insertions, 9 deletions
diff --git a/librabbitmq/amqp_openssl.c b/librabbitmq/amqp_openssl.c
index bb28ddb..727f48c 100644
--- a/librabbitmq/amqp_openssl.c
+++ b/librabbitmq/amqp_openssl.c
@@ -70,7 +70,8 @@ struct amqp_ssl_socket_t {
SSL_CTX *ctx;
int sockfd;
SSL *ssl;
- amqp_boolean_t verify;
+ amqp_boolean_t verify_peer;
+ amqp_boolean_t verify_hostname;
int internal_error;
};
@@ -312,13 +313,15 @@ start_connect:
goto error_out2;
}
- result = SSL_get_verify_result(self->ssl);
- if (X509_V_OK != result) {
- self->internal_error = result;
- status = AMQP_STATUS_SSL_PEER_VERIFY_FAILED;
- goto error_out3;
+ if (self->verify_peer) {
+ result = SSL_get_verify_result(self->ssl);
+ if (X509_V_OK != result) {
+ self->internal_error = result;
+ status = AMQP_STATUS_SSL_PEER_VERIFY_FAILED;
+ goto error_out3;
+ }
}
- if (self->verify) {
+ if (self->verify_hostname) {
int verify_status = amqp_ssl_socket_verify_hostname(self, host);
if (verify_status) {
self->internal_error = 0;
@@ -425,7 +428,8 @@ amqp_ssl_socket_new(amqp_connection_state_t state)
self->sockfd = -1;
self->klass = &amqp_ssl_socket_class;
- self->verify = 1;
+ self->verify_peer = 1;
+ self->verify_hostname = 1;
status = initialize_openssl();
if (status) {
@@ -555,12 +559,28 @@ void
amqp_ssl_socket_set_verify(amqp_socket_t *base,
amqp_boolean_t verify)
{
+ amqp_ssl_socket_set_verify_peer(base, verify);
+ amqp_ssl_socket_set_verify_hostname(base, verify);
+}
+
+void amqp_ssl_socket_set_verify_peer(amqp_socket_t *base,
+ amqp_boolean_t verify) {
+ struct amqp_ssl_socket_t *self;
+ if (base->klass != &amqp_ssl_socket_class) {
+ amqp_abort("<%p> is not of type amqp_ssl_socket_t", base);
+ }
+ self = (struct amqp_ssl_socket_t *)base;
+ self->verify_peer = verify;
+}
+
+void amqp_ssl_socket_set_verify_hostname(amqp_socket_t *base,
+ amqp_boolean_t verify) {
struct amqp_ssl_socket_t *self;
if (base->klass != &amqp_ssl_socket_class) {
amqp_abort("<%p> is not of type amqp_ssl_socket_t", base);
}
self = (struct amqp_ssl_socket_t *)base;
- self->verify = verify;
+ self->verify_hostname = verify;
}
void