From: Howard Chu <hyc@openldap.org>
Date: Sun, 27 Jan 2002 03:48:08 +0000 (+0000)
Subject: Send a warning to the client if we try to use a bad cert.
X-Git-Tag: LDBM_PRE_GIANT_RWLOCK~9
X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=63a4a197324090a7e2524386d5c410a85baa071b;p=openldap

Send a warning to the client if we try to use a bad cert.
---

diff --git a/libraries/libldap/tls.c b/libraries/libldap/tls.c
index 88c3663c03..8d5bd36670 100644
--- a/libraries/libldap/tls.c
+++ b/libraries/libldap/tls.c
@@ -732,6 +732,20 @@ ldap_pvt_tls_get_strength( void *s )
 }
 
 
+static X509 *
+tls_get_cert( SSL *s )
+{
+    /* If peer cert was bad, treat as if no cert was given */
+    if (SSL_get_verify_result(s)) {
+    	/* If we can send an alert, do so */
+    	if (SSL_version(s) != SSL2_VERSION) {
+		ssl3_send_alert(s,SSL3_AL_WARNING,SSL3_AD_BAD_CERTIFICATE);
+	}
+    	return NULL;
+    }
+    return SSL_get_peer_certificate(s);
+}
+
 char *
 ldap_pvt_tls_get_peer( void *s )
 {
@@ -739,11 +753,8 @@ ldap_pvt_tls_get_peer( void *s )
     X509_NAME *xn;
     char buf[2048], *p;
 
-    /* If peer cert was bad, treat as if no cert was given */
-    if (SSL_get_verify_result((SSL *)s))
-    	return NULL;
 
-    x = SSL_get_peer_certificate((SSL *)s);
+    x = tls_get_cert((SSL *)s);
 
     if (!x)
     	return NULL;
@@ -761,10 +772,7 @@ ldap_pvt_tls_get_peer_dn( void *s )
 	X509_NAME *xn;
 	char buf[2048], *p, *dn;
 
-	if (SSL_get_verify_result((SSL *)s))
-    		return NULL;
-
-	x = SSL_get_peer_certificate((SSL *)s);
+	x = tls_get_cert((SSL *)s);
 
 	if (!x) return NULL;
     
@@ -785,10 +793,7 @@ ldap_pvt_tls_get_peer_hostname( void *s )
 	char buf[2048], *p;
 	int ret;
 
-	if (SSL_get_verify_result((SSL *)s))
-    		return NULL;
-
-	x = SSL_get_peer_certificate((SSL *)s);
+	x = tls_get_cert((SSL *)s);
 
 	if (!x)
 		return NULL;
@@ -821,10 +826,7 @@ ldap_pvt_tls_check_hostname( void *s, const char *name_in )
 		name = name_in;
 	}
 
-	if (SSL_get_verify_result((SSL *)s))
-    		return LDAP_CONNECT_ERROR;
-
-    x = SSL_get_peer_certificate((SSL *)s);
+    x = tls_get_cert((SSL *)s);
     if (!x)
     {
 	Debug( LDAP_DEBUG_ANY,
@@ -1243,10 +1245,10 @@ tls_verify_cb( int ok, X509_STORE_CTX *ctx )
 	sname = X509_NAME_oneline( subject, NULL, 0 );
 	iname = X509_NAME_oneline( issuer, NULL, 0 );
 	Debug( LDAP_DEBUG_TRACE,
-	       "TLS certificate verification: depth: %d, subject: %s, issuer: %s\n",
-	       errdepth,
-	       sname ? sname : "-unknown-",
-	       iname ? iname : "-unknown-" );
+	       "TLS certificate verification: depth: %d, err: %d, subject: %s,",
+	       errdepth, errnum,
+	       sname ? sname : "-unknown-" );
+	Debug( LDAP_DEBUG_TRACE, " issuer: %s\n", iname ? iname : "-unknown-", 0, 0 );
 	if ( sname )
 		CRYPTO_free ( sname );
 	if ( iname )