Sophie: bip-0.8.9-8.mga8 src

bip-0.8.9-8.mga8.src.rpm

From a54b6835493767c348b33381040506aee4629d19 Mon Sep 17 00:00:00 2001
From: Adam Williamson <awilliam@redhat.com>
Date: Fri, 19 Sep 2014 18:04:53 -0700
Subject: [PATCH 2/2] allow for certificate store to be unspecified in CA mode

In many cases, using OpenSSL's default certificate store is fine
and even preferred. If your OpenSSL provider (e.g. your
distribution) is competent, they will manage this database
better than you likely will.

This could be refined to test in the NULL case whether the
certificate store is empty, and fail out if so.
---
 src/bip.c        | 12 +++++++++---
 src/connection.c | 17 +++++++++++++++--
 2 files changed, 24 insertions(+), 5 deletions(-)

diff --git a/src/bip.c b/src/bip.c
index 37e72d9..f025c21 100644
--- a/src/bip.c
+++ b/src/bip.c
@@ -1540,9 +1540,15 @@ noroom:
 	bip_notify(ic, "%s", buf);
 
 #ifdef HAVE_LIBSSL
-	bip_notify(ic, "SSL check mode '%s', stored into '%s'",
-		   checkmode2text(u->ssl_check_mode),
-		   STRORNULL(u->ssl_check_store));
+	if (u->ssl_check_store) {
+		bip_notify(ic, "SSL check mode '%s', stored into '%s'",
+				checkmode2text(u->ssl_check_mode),
+				u->ssl_check_store);
+	}
+	else {
+		bip_notify(ic, "SSL check mode '%s', default or no certificate store",
+				checkmode2text(u->ssl_check_mode));
+	}
 	if (u->ssl_client_certfile)
 		bip_notify(ic, "SSL client certificate stored into '%s'",
 				u->ssl_client_certfile);
diff --git a/src/connection.c b/src/connection.c
index b534cd0..ab1516e 100644
--- a/src/connection.c
+++ b/src/connection.c
@@ -1470,6 +1470,17 @@ static connection_t *_connection_new_SSL(char *dsthostname, char *dstport,
 		}
 		break;
 	case SSL_CHECK_CA:
+		if (!check_store) {
+			if (SSL_CTX_set_default_verify_paths(conn->ssl_ctx_h)) {
+				mylog(LOG_INFO, "No SSL certificate check store configured. "
+						"Default store will be used.");
+				break;
+			} else {
+				mylog(LOG_ERROR, "No SSL certificate check store configured "
+						"and cannot use default store!");
+				return conn;
+			}
+		}
 		// Check if check_store is a file or directory
 		if (stat(check_store, &st_buf) == 0) {
 			if (st_buf.st_mode & S_IFDIR) {
@@ -1490,10 +1501,12 @@ static connection_t *_connection_new_SSL(char *dsthostname, char *dstport,
 				}
 				break;
 			}
-			mylog(LOG_ERROR, "Check store is neither a file nor a directory.");
+			mylog(LOG_ERROR, "Specified SSL certificate check store is neither "
+					"a file nor a directory.");
 			return conn;
 		}
-		mylog(LOG_ERROR, "Can't open check store! Make sure path is correct.");
+		mylog(LOG_ERROR, "Can't open SSL certificate check store! Check path "
+				"and permissions.");
 		return conn;
 	}
 
-- 
2.1.0