Don't display messages about verify depth in s_server if -quiet it set.
Add support for separate verify and chain stores in s_client.
This commit is contained in:
Dr. Stephen Henson
parent
20b431e3a9
commit
a5afc0a8f4
@ -201,4 +201,7 @@ int args_ssl(char ***pargs, int *pargc, SSL_CONF_CTX *cctx,
|
||||
int *badarg, BIO *err, STACK_OF(OPENSSL_STRING) **pstr);
|
||||
int args_ssl_call(SSL_CTX *ctx, BIO *err, SSL_CONF_CTX *cctx,
|
||||
STACK_OF(OPENSSL_STRING) *str, int no_ecdhe);
|
||||
int ssl_load_stores(SSL_CTX *ctx,
|
||||
const char *vfyCApath, const char *vfyCAfile,
|
||||
const char *chCApath, const char *chCAfile);
|
||||
#endif
|
||||
|
||||
29
apps/s_cb.c
29
apps/s_cb.c
@ -1671,3 +1671,32 @@ int args_ssl_call(SSL_CTX *ctx, BIO *err, SSL_CONF_CTX *cctx,
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
int ssl_load_stores(SSL_CTX *ctx,
|
||||
const char *vfyCApath, const char *vfyCAfile,
|
||||
const char *chCApath, const char *chCAfile)
|
||||
{
|
||||
X509_STORE *vfy = NULL, *ch = NULL;
|
||||
int rv = 0;
|
||||
if (vfyCApath || vfyCAfile)
|
||||
{
|
||||
vfy = X509_STORE_new();
|
||||
if (!X509_STORE_load_locations(vfy, vfyCAfile, vfyCApath))
|
||||
goto err;
|
||||
SSL_CTX_set1_verify_cert_store(ctx, vfy);
|
||||
}
|
||||
if (chCApath || chCAfile)
|
||||
{
|
||||
ch = X509_STORE_new();
|
||||
if (!X509_STORE_load_locations(ch, chCAfile, chCApath))
|
||||
goto err;
|
||||
SSL_CTX_set1_chain_cert_store(ctx, ch);
|
||||
}
|
||||
rv = 1;
|
||||
err:
|
||||
if (vfy)
|
||||
X509_STORE_free(vfy);
|
||||
if (ch)
|
||||
X509_STORE_free(ch);
|
||||
return rv;
|
||||
}
|
||||
|
||||
@ -581,6 +581,8 @@ int MAIN(int argc, char **argv)
|
||||
X509 *cert = NULL;
|
||||
EVP_PKEY *key = NULL;
|
||||
char *CApath=NULL,*CAfile=NULL;
|
||||
char *chCApath=NULL,*chCAfile=NULL;
|
||||
char *vfyCApath=NULL,*vfyCAfile=NULL;
|
||||
int reconnect=0,badop=0,verify=SSL_VERIFY_NONE;
|
||||
int crlf=0;
|
||||
int write_tty,read_tty,write_ssl,read_ssl,tty_on,ssl_pending;
|
||||
@ -901,6 +903,16 @@ int MAIN(int argc, char **argv)
|
||||
if (--argc < 1) goto bad;
|
||||
CApath= *(++argv);
|
||||
}
|
||||
else if (strcmp(*argv,"-chainCApath") == 0)
|
||||
{
|
||||
if (--argc < 1) goto bad;
|
||||
chCApath= *(++argv);
|
||||
}
|
||||
else if (strcmp(*argv,"-verifyCApath") == 0)
|
||||
{
|
||||
if (--argc < 1) goto bad;
|
||||
vfyCApath= *(++argv);
|
||||
}
|
||||
else if (strcmp(*argv,"-build_chain") == 0)
|
||||
build_chain = 1;
|
||||
else if (strcmp(*argv,"-CAfile") == 0)
|
||||
@ -908,6 +920,16 @@ int MAIN(int argc, char **argv)
|
||||
if (--argc < 1) goto bad;
|
||||
CAfile= *(++argv);
|
||||
}
|
||||
else if (strcmp(*argv,"-chainCAfile") == 0)
|
||||
{
|
||||
if (--argc < 1) goto bad;
|
||||
chCAfile= *(++argv);
|
||||
}
|
||||
else if (strcmp(*argv,"-verifyCAfile") == 0)
|
||||
{
|
||||
if (--argc < 1) goto bad;
|
||||
vfyCAfile= *(++argv);
|
||||
}
|
||||
#ifndef OPENSSL_NO_TLSEXT
|
||||
# ifndef OPENSSL_NO_NEXTPROTONEG
|
||||
else if (strcmp(*argv,"-nextprotoneg") == 0)
|
||||
@ -1157,6 +1179,13 @@ bad:
|
||||
goto end;
|
||||
}
|
||||
|
||||
if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile))
|
||||
{
|
||||
BIO_printf(bio_err, "Error loading store locations\n");
|
||||
ERR_print_errors(bio_err);
|
||||
goto end;
|
||||
}
|
||||
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
if (ssl_client_engine)
|
||||
{
|
||||
|
||||
@ -216,9 +216,6 @@ static int generate_session_id(const SSL *ssl, unsigned char *id,
|
||||
unsigned int *id_len);
|
||||
static void init_session_cache_ctx(SSL_CTX *sctx);
|
||||
static void free_sessions(void);
|
||||
static int ssl_load_stores(SSL_CTX *sctx,
|
||||
const char *vfyCApath, const char *vfyCAfile,
|
||||
const char *chCApath, const char *chCAfile);
|
||||
#ifndef OPENSSL_NO_DH
|
||||
static DH *load_dh_param(const char *dhfile);
|
||||
static DH *get_dh512(void);
|
||||
@ -1057,7 +1054,8 @@ int MAIN(int argc, char *argv[])
|
||||
s_server_verify=SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE;
|
||||
if (--argc < 1) goto bad;
|
||||
verify_depth=atoi(*(++argv));
|
||||
BIO_printf(bio_err,"verify depth is %d\n",verify_depth);
|
||||
if (!s_quiet)
|
||||
BIO_printf(bio_err,"verify depth is %d\n",verify_depth);
|
||||
}
|
||||
else if (strcmp(*argv,"-Verify") == 0)
|
||||
{
|
||||
@ -1065,7 +1063,8 @@ int MAIN(int argc, char *argv[])
|
||||
SSL_VERIFY_CLIENT_ONCE;
|
||||
if (--argc < 1) goto bad;
|
||||
verify_depth=atoi(*(++argv));
|
||||
BIO_printf(bio_err,"verify depth is %d, must return a certificate\n",verify_depth);
|
||||
if (!s_quiet)
|
||||
BIO_printf(bio_err,"verify depth is %d, must return a certificate\n",verify_depth);
|
||||
}
|
||||
else if (strcmp(*argv,"-context") == 0)
|
||||
{
|
||||
@ -3399,42 +3398,3 @@ static void free_sessions(void)
|
||||
}
|
||||
first = NULL;
|
||||
}
|
||||
|
||||
static int ssl_load_stores(SSL_CTX *sctx,
|
||||
const char *vfyCApath, const char *vfyCAfile,
|
||||
const char *chCApath, const char *chCAfile)
|
||||
{
|
||||
X509_STORE *vfy = NULL, *ch = NULL;
|
||||
int rv = 0;
|
||||
if (vfyCApath || vfyCAfile)
|
||||
{
|
||||
vfy = X509_STORE_new();
|
||||
if (!X509_STORE_load_locations(vfy, vfyCAfile, vfyCApath))
|
||||
goto err;
|
||||
SSL_CTX_set1_verify_cert_store(ctx, vfy);
|
||||
}
|
||||
if (chCApath || chCAfile)
|
||||
{
|
||||
ch = X509_STORE_new();
|
||||
if (!X509_STORE_load_locations(ch, chCAfile, chCApath))
|
||||
goto err;
|
||||
/*X509_STORE_set_verify_cb(ch, verify_callback);*/
|
||||
SSL_CTX_set1_chain_cert_store(ctx, ch);
|
||||
}
|
||||
rv = 1;
|
||||
err:
|
||||
if (vfy)
|
||||
X509_STORE_free(vfy);
|
||||
if (ch)
|
||||
X509_STORE_free(ch);
|
||||
return rv;
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user