From: Felix Morgner Date: Mon, 25 Nov 2013 09:43:54 +0000 (+0100) Subject: Added support for certificate chain delivery via the "ca_path" configuration setting. X-Git-Url: http://git.code-monkey.de/?a=commitdiff_plain;h=697d68393a174877c2f7743193e229076ddd44e9;p=umurmur.git Added support for certificate chain delivery via the "ca_path" configuration setting. --- diff --git a/src/conf.c b/src/conf.c index 2ec69a5..b29c3db 100644 --- a/src/conf.c +++ b/src/conf.c @@ -108,6 +108,17 @@ const char *getStrConf(param_t param) return "/etc/umurmur/private_key.key"; } break; + case CAPATH: + setting = config_lookup(&configuration, "ca_path"); + if (!setting) + return NULL; + else { + if ((strsetting = config_setting_get_string(setting)) != NULL) + return strsetting; + else + return NULL; + } + break; case PASSPHRASE: setting = config_lookup(&configuration, "password"); if (!setting) diff --git a/src/conf.h b/src/conf.h index 9cab3d1..463a943 100644 --- a/src/conf.h +++ b/src/conf.h @@ -39,6 +39,7 @@ typedef enum param { CERTIFICATE, KEY, PASSPHRASE, + CAPATH, BINDPORT, BINDADDR, WELCOMETEXT, diff --git a/src/ssl.c b/src/ssl.c index 925795c..1368fa6 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -413,7 +413,7 @@ static X509 *SSL_readcert(char *certfile) FILE *fp; X509 *x509; - /* open the private key file */ + /* open the certificate file */ fp = fopen(certfile, "r"); if (fp == NULL) { Log_warn("Unable to open the X509 file %s for reading.", certfile); @@ -497,6 +497,7 @@ static void SSL_writekey(char *keyfile, RSA *rsa) } static void SSL_initializeCert() { + char *crt, *key, *pass; crt = (char *)getStrConf(CERTIFICATE); @@ -509,6 +510,7 @@ static void SSL_initializeCert() { pkey = EVP_PKEY_new(); EVP_PKEY_assign_RSA(pkey, rsa); } + #if 0 /* Later ... */ @@ -585,16 +587,23 @@ void SSLi_init(void) char *cipherstring, tempstring[128]; SSL_library_init(); - OpenSSL_add_all_algorithms(); /* load & register all cryptos, etc. */ - SSL_load_error_strings(); /* load all error messages */ - ERR_load_crypto_strings(); /* load all error messages */ - method = SSLv23_server_method(); /* create new server-method instance */ - context = SSL_CTX_new(method); /* create new context from method */ - if (context == NULL) - { - ERR_print_errors_fp(stderr); - abort(); - } + OpenSSL_add_all_algorithms(); /* load & register all cryptos, etc. */ + SSL_load_error_strings(); /* load all error messages */ + ERR_load_crypto_strings(); /* load all error messages */ + method = SSLv23_server_method(); /* create new server-method instance */ + context = SSL_CTX_new(method); /* create new context from method */ + if (context == NULL) + { + ERR_print_errors_fp(stderr); + abort(); + } + + char* sslCAPath = getStrConf(CAPATH); + if(sslCAPath != NULL) + { + SSL_CTX_load_verify_locations(context, NULL, sslCAPath); + } + SSL_initializeCert(); if (SSL_CTX_use_certificate(context, x509) <= 0) Log_fatal("Failed to initialize cert"); @@ -602,7 +611,7 @@ void SSLi_init(void) ERR_print_errors_fp(stderr); Log_fatal("Failed to initialize private key"); } - + /* Set cipher list */ ssl = SSL_new(context); cipherlist = (STACK_OF(SSL_CIPHER) *) SSL_get_ciphers(ssl);