[svn] Always use SSL_VERIFY_NONE, so that the handshake finishes even if the

certificate is invalid.  That way ssl_check_server_identity can provide
better diagnostics on why the verification failed.

diff --git a/src/ChangeLog b/src/ChangeLog
index e2c50ea4c2691e24dea8eb98c1f0a4c8667cdf65..0b5960f1b39f60795d2459c95fdcf8aff1787061 100644 (file)
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,10 @@
+2005-05-11  Hrvoje Niksic  <hniksic@xemacs.org>
+
+       * openssl.c (ssl_init): Always use SSL_VERIFY_NONE, so that the
+       handshake finishes even if the certificate is invalid.  That way
+       ssl_check_server_identity can provide better diagnostics on why
+       the verification failed.
+
 2005-05-11  Hrvoje Niksic  <hniksic@xemacs.org>
 
        * openssl.c (pattern_match): New function.

diff --git a/src/openssl.c b/src/openssl.c
index 46e100dcc661d0cf69d86a9bb44beb8a7298d47f..92f806ca01a8429efccdb2ab990a4aafbf1c69e5 100644 (file)
--- a/src/openssl.c
+++ b/src/openssl.c
@@ -212,10 +212,11 @@ ssl_init ()
   SSL_CTX_set_default_verify_paths (ssl_ctx);
   SSL_CTX_load_verify_locations (ssl_ctx, opt.ca_cert, opt.ca_directory);
 
-  /* Specify whether the connect should fail if the verification of
-     the peer fails or if it should go ahead.  */
-  SSL_CTX_set_verify (ssl_ctx,
-                     opt.check_cert ? SSL_VERIFY_PEER : SSL_VERIFY_NONE, NULL);
+  /* SSL_VERIFY_NONE instructs OpenSSL not to abort SSL_connect if the
+     certificate is invalid.  We verify the certificate separately in
+     ssl_check_server_identity, which provides much better diagnostics
+     than examining the error stack after a failed SSL_connect.  */
+  SSL_CTX_set_verify (ssl_ctx, SSL_VERIFY_NONE, NULL);
 
   if (opt.cert_file)
     if (SSL_CTX_use_certificate_file (ssl_ctx, opt.cert_file,
@@ -307,10 +308,11 @@ openssl_close (int fd, void *ctx)
   DEBUGP (("Closed %d/SSL 0x%0lx\n", fd, (unsigned long) ssl));
 }
 
-/* Sets up a SSL structure and performs the handshake on fd.  The
-   resulting SSL structure is registered with the file descriptor FD
-   using fd_register_transport.  That way subsequent calls to xread,
-   xwrite, etc., will use the appropriate SSL functions.
+/* Perform the SSL handshake on file descriptor FD, which is assumed
+   to be connected to an SSL server.  The SSL handle provided by
+   OpenSSL is registered with the file descriptor FD using
+   fd_register_transport, so that subsequent calls to fd_read,
+   fd_write, etc., will use the corresponding SSL functions.
 
    Returns 1 on success, 0 on failure.  */
 
@@ -329,10 +331,8 @@ ssl_connect (int fd)
   if (SSL_connect (ssl) <= 0 || ssl->state != SSL_ST_OK)
     goto error;
 
-  /* Register FD with Wget's transport layer, i.e. arrange that
-     SSL-enabled functions are used for reading, writing, and polling.
-     That way the rest of Wget can keep using fd_read, fd_write, and
-     friends and not care what happens underneath.  */
+  /* Register FD with Wget's transport layer, i.e. arrange that our
+     functions are used for reading, writing, and polling.  */
   fd_register_transport (fd, openssl_read, openssl_write, openssl_poll,
                         openssl_peek, openssl_close, ssl);
   DEBUGP (("Connected %d to SSL 0x%0*lx\n", fd, 2 * sizeof (void *),
@@ -394,7 +394,7 @@ pattern_match (const char *pattern, const char *string)
 int
 ssl_check_server_identity (int fd, const char *host)
 {
-  X509 *peer_cert = NULL;
+  X509 *peer_cert;
   char peer_CN[256];
   long vresult;
   int retval;