* Returns: true on success
* false on failure
*/
-bool bnet_tls_client(TLS_CONTEXT *ctx, BSOCK * bsock)
+bool bnet_tls_client(TLS_CONTEXT *ctx, BSOCK * bsock, alist *verify_list)
{
TLS_CONNECTION *tls;
goto err;
}
- if (!tls_postconnect_verify_host(tls, bsock->host())) {
- Qmsg1(bsock->jcr(), M_FATAL, 0, _("TLS host certificate verification failed. Host %s did not match presented certificate\n"),
- bsock->host());
- goto err;
+ /* If there's an Allowed CN verify list, use that to validate the remote
+ * certificate's CN. Otherwise, we use standard host/CN matching. */
+ if (verify_list) {
+ if (!tls_postconnect_verify_cn(tls, verify_list)) {
+ Qmsg1(bsock->jcr(), M_FATAL, 0, _("TLS certificate verification failed."
+ " Peer certificate did not match a required commonName\n"),
+ bsock->host());
+ goto err;
+ }
+ } else {
+ if (!tls_postconnect_verify_host(tls, bsock->host())) {
+ Qmsg1(bsock->jcr(), M_FATAL, 0, _("TLS host certificate verification failed. Host %s did not match presented certificate\n"),
+ bsock->host());
+ goto err;
+ }
}
+
return true;
err:
Jmsg(bsock->jcr(), M_ABORT, 0, _("TLS enabled but not configured.\n"));
return false;
}
-bool bnet_tls_client(TLS_CONTEXT *ctx, BSOCK * bsock)
+bool bnet_tls_client(TLS_CONTEXT *ctx, BSOCK * bsock, alist *verify_list, int verify_hostname)
{
Jmsg(bsock->jcr(), M_ABORT, 0, _("TLS enable but not configured.\n"));
return false;
/*
* Try to connect to host for max_retry_time at retry_time intervals.
*/
-BSOCK *bnet_connect(JCR * jcr, int retry_interval, int max_retry_time,
+BSOCK *bnet_connect(JCR * jcr, int retry_interval, utime_t max_retry_time,
const char *name, char *host, char *service, int port,
int verbose)
{
int i;
BSOCK *bsock;
int fatal = 0;
+ time_t begin_time = time(NULL);
+ time_t now;
for (i = 0; (bsock = bnet_open(jcr, name, host, service, port, &fatal)) == NULL;
i -= retry_interval) {
"Retrying ...\n"), name, host, port, be.strerror());
}
bmicrosleep(retry_interval, 0);
- max_retry_time -= retry_interval;
- if (max_retry_time <= 0) {
+ now = time(NULL);
+ if (begin_time + max_retry_time <= now) {
Qmsg4(jcr, M_FATAL, 0, _("Unable to connect to %s on %s:%d. ERR=%s\n"),
name, host, port, be.strerror());
return NULL;