kore

An easy to use, scalable and secure web application framework for writing web APIs in C.
Commits | Files | Refs | README | LICENSE | git clone https://git.kore.io/kore.git

commit f975453565bee0711633af2e1b7cb60a45e3a728
parent 0288902a1bada9456aa07593fc9d30b91fa97bd9
Author: Joris Vink <joris@coders.se>
Date:   Fri, 20 Feb 2015 10:43:31 +0100

Set X509 verification callback and log errors.

When using client certificates Kore now calls
domain_x509_verify() and logs any certificate
verification errors that might occur.

CRL validity errors are ignored.

Diffstat:
src/domain.c | 37+++++++++++++++++++++++++++++++++++++
1 file changed, 37 insertions(+), 0 deletions(-)

diff --git a/src/domain.c b/src/domain.c @@ -26,6 +26,10 @@ DH *ssl_dhparam = NULL; static void domain_load_crl(struct kore_domain *); +#if !defined(KORE_BENCHMARK) +static int domain_x509_verify(int, X509_STORE_CTX *); +#endif + void kore_domain_init(void) { @@ -206,5 +210,38 @@ domain_load_crl(struct kore_domain *dom) X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL); + X509_STORE_set_verify_cb(store, domain_x509_verify); #endif } + +#if !defined(KORE_BENCHMARK) +static int +domain_x509_verify(int ok, X509_STORE_CTX *ctx) +{ + X509 *cert; + const char *text; + int error, depth; + + error = X509_STORE_CTX_get_error(ctx); + cert = X509_STORE_CTX_get_current_cert(ctx); + + if (ok == 0 && cert != NULL) { + text = X509_verify_cert_error_string(error); + depth = X509_STORE_CTX_get_error_depth(ctx); + + kore_log(LOG_WARNING, "X509 verification error depth:%d - %s", + depth, text); + + /* Continue on CRL validity errors. */ + switch (error) { + case X509_V_ERR_CRL_HAS_EXPIRED: + case X509_V_ERR_CRL_NOT_YET_VALID: + case X509_V_ERR_UNABLE_TO_GET_CRL: + ok = 1; + break; + } + } + + return (ok); +} +#endif