| 123456789101112131415161718192021222324252627282930313233343536373839404142434445 |
- From 9fa5c1908e866d9480bfaf0516111c4741adbd59 Mon Sep 17 00:00:00 2001
- From: Alexander Barton <alex@barton.de>
- Date: Tue, 2 Jan 2024 20:55:15 +0100
- Subject: [PATCH 06/20] S2S-TLS/OpenSSL: Set the verification flags only once
- Set the verification flags in the ConnSSL_SetVerifyProperties_openssl
- function only, don't override them in ConnSSL_InitLibrary() afterwards.
- No functional changes, now ConnSSL_SetVerifyProperties_openssl() sets
- exactly the parameters which ConnSSL_InitLibrary() always overwrote ...
- (cherry picked from commit 08647ab1e7cf0d034f2d8987a3cac3201af84e02)
- ---
- src/ngircd/conn-ssl.c | 6 ++----
- 1 file changed, 2 insertions(+), 4 deletions(-)
- --- a/src/ngircd/conn-ssl.c
- +++ b/src/ngircd/conn-ssl.c
- @@ -401,8 +401,6 @@
- SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 |
- SSL_OP_NO_COMPRESSION);
- SSL_CTX_set_mode(newctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
- - SSL_CTX_set_verify(newctx, SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE,
- - Verify_openssl);
- SSL_CTX_free(ssl_ctx);
- ssl_ctx = newctx;
- Log(LOG_INFO, "%s initialized.", OpenSSL_version(OPENSSL_VERSION));
- @@ -615,7 +613,6 @@
- {
- X509_STORE *store = NULL;
- X509_LOOKUP *lookup;
- - int verify_flags = SSL_VERIFY_PEER;
- bool ret = false;
-
- if (!Conf_SSLOptions.CAFile)
- @@ -649,7 +646,8 @@
- }
- }
-
- - SSL_CTX_set_verify(ctx, verify_flags, Verify_openssl);
- + SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE,
- + Verify_openssl);
- SSL_CTX_set_verify_depth(ctx, MAX_CERT_CHAIN_LENGTH);
- ret = true;
- out:
|
