11 Jun
2006
11 Jun
'06
5:51 p.m.
On Thu, 2006-06-01 at 10:13 +0200, HenkJan Wolthuis wrote:
Hi,
I've attached a new version of my patch against ssl_proxy-openssl.c which:
Thanks, committed to CVS now although with some changes.
- ssl_verify_client_cert now returns 0 in case of an invalid cert. was there a reason why it always returned 1?
Yes. ssl_verify_client_cert=yes doesn't require the certificate to be valid. Only ssl_require_valid_client_cert=yes in auth settings does that. This allows for some people to authenticate with certificates and others to authenticate the usual way. So I dropped this part of your patch.
- if( (store=SSL_CTX_get_cert_store(ssl_ctx)) != NULL )
{ X509_STORE_set_flags( store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL); }- else
{ i_warning("X509 get cert store failed..."); }
Can it ever return NULL? Looking at the manual page it didn't seem so, so I dropped the NULL-check from here.