change how self-signed certs are accepted by internal client

use SSL_VERIFY_PEER with the "always ok" callback, instead of SSL_VERIFY_NONE with no callback. The latter doesn't work correctly in wolfSSL, it accepts self-signed certificates just fine (as in OpenSSL), but after that SSL_get_verify_result() returns X509_V_OK, while it returns an error (e.g. X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) in OpenSSL.
2025-01-16 03:52:35 +01:00 · 2023-09-03 22:34:03 +02:00 · 2023-09-03 22:34:03 +02:00 · 2f13f7d78f
commit 2f13f7d78f
parent 05a421eb36
1 changed files with 9 additions and 6 deletions
--- a/vio/viosslfactories.c
+++ b/vio/viosslfactories.c
@ -457,6 +457,10 @@ err0:
  DBUG_RETURN(0);
 }

+int always_ok(int preverify, X509_STORE_CTX* store)
+{
+    return 1;
+}

 /************************ VioSSLConnectorFd **********************************/
 struct st_VioSSLFd *
@ -466,14 +470,14 @@ new_VioSSLConnectorFd(const char *key_file, const char *cert_file,
                      const char *crl_file, const char *crl_path)
 {
  struct st_VioSSLFd *ssl_fd;
-  int verify= SSL_VERIFY_PEER;
+  int (*cb)(int, X509_STORE_CTX *) = NULL;

  /*
-    Turn off verification of servers certificate if both
-    ca_file and ca_path is set to NULL
+    Don't abort when the certificate cannot be verified if neither
+    ca_file nor ca_path were set.
  */
  if ((ca_file == 0 || ca_file[0] == 0) && (ca_path == 0 || ca_path[0] == 0))
-    verify= SSL_VERIFY_NONE;
+    cb= always_ok;

  /* Init the VioSSLFd as a "connector" ie. the client side */
  if (!(ssl_fd= new_VioSSLFd(key_file, cert_file, ca_file, ca_path, cipher,
@ -482,8 +486,7 @@ new_VioSSLConnectorFd(const char *key_file, const char *cert_file,
    return 0;
  }

-  SSL_CTX_set_verify(ssl_fd->ssl_context, verify, NULL);
-
+  SSL_CTX_set_verify(ssl_fd->ssl_context, SSL_VERIFY_PEER, cb);
  return ssl_fd;
 }