summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorWillem Toorop <willem@nlnetlabs.nl>2019-03-15 14:42:08 +0100
committerWillem Toorop <willem@nlnetlabs.nl>2019-03-15 14:42:08 +0100
commit8ba817f1517b4d123af0cc83aadacd5893934b51 (patch)
treeb882e145785a8f11207f6ea4d7937ef7cffe1e30
parent5b9c6161190872935a83017b70bb4cf6e963b48c (diff)
downloadldns-8ba817f1517b4d123af0cc83aadacd5893934b51.tar.gz
bugfix: Manage verification paths for OpenSSL >= 1.1.0
Thanks Marco Davids
-rw-r--r--Changelog2
-rw-r--r--examples/ldns-dane.c21
2 files changed, 21 insertions, 2 deletions
diff --git a/Changelog b/Changelog
index 55bbd731..2204f6d1 100644
--- a/Changelog
+++ b/Changelog
@@ -1,4 +1,6 @@
1.7.1 ????-??-??
+ * bugfix: Manage verification paths for OpenSSL >= 1.1.0
+ Thanks Marco Davids
* bugfix #4106: find the SDK on MacOS X <= 10.6
Thanks Bill Cole
* bugfix #4155: ldns-config contains never used variables
diff --git a/examples/ldns-dane.c b/examples/ldns-dane.c
index a846d338..538ac121 100644
--- a/examples/ldns-dane.c
+++ b/examples/ldns-dane.c
@@ -61,7 +61,7 @@
static void
print_usage(const char* progname)
{
-#ifdef USE_DANE_VERIY
+#ifdef USE_DANE_VERIFY
printf("Usage: %s [OPTIONS] verify <name> <port>\n", progname);
printf(" or: %s [OPTIONS] -t <tlsafile> verify\n", progname);
printf("\n\tVerify the TLS connection at <name>:<port> or"
@@ -1140,6 +1140,15 @@ dane_verify(ldns_rr_list* tlsas, ldns_rdf* address,
}
#endif /* defined(USE_DANE_VERIFY) && OPENSSL_VERSION_NUMBER < 0x10100000 */
+#if OPENSSL_VERSION_NUMBER >= 0x10100000 && ! defined(HAVE_LIBRESSL)
+static int _ldns_tls_verify_always_ok(int ok, X509_STORE_CTX *ctx)
+{
+ (void)ok;
+ (void)ctx;
+ return 1;
+}
+#endif
+
/**
* Return either an A or AAAA rdf, based on the given
* string. If it it not a valid ip address, return null.
@@ -1695,6 +1704,12 @@ main(int argc, char* const* argv)
if (ctx && SSL_CTX_dane_enable(ctx) <= 0) {
ssl_err("could not SSL_CTX_dane_enable");
}
+ if (CAfile || CApath) {
+ if (!SSL_CTX_load_verify_locations(ctx, CAfile, CApath))
+ ssl_err("could not set verify locations\n");
+
+ } else if (!SSL_CTX_set_default_verify_paths(ctx))
+ ssl_err("could not set default verify paths\n");
#endif
if (! ctx) {
ssl_err("could not SSL_CTX_new");
@@ -1870,7 +1885,7 @@ main(int argc, char* const* argv)
continue;
}
ret = SSL_dane_tlsa_add(ssl,
- ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 0)),
+ ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 0)) | (assume_pkix_validity ? 2 : 0),
ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 1)),
ldns_rdf2native_int8(ldns_rr_rdf(tlsa_rr, 2)),
ldns_rdf_data(ldns_rr_rdf(tlsa_rr, 3)),
@@ -1889,6 +1904,8 @@ main(int argc, char* const* argv)
if (!usable_tlsas) {
fprintf(stderr, "No usable TLSA records were found.\n"
"PKIX validation without DANE will be performed.\n");
+ if (assume_pkix_validity)
+ SSL_set_verify(ssl, SSL_VERIFY_PEER, _ldns_tls_verify_always_ok);
}
}
#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000 */