}
+static X509 *
+tls_get_cert( SSL *s )
+{
+ /* If peer cert was bad, treat as if no cert was given */
+ if (SSL_get_verify_result(s)) {
+ /* If we can send an alert, do so */
+ if (SSL_version(s) != SSL2_VERSION) {
+ ssl3_send_alert(s,SSL3_AL_WARNING,SSL3_AD_BAD_CERTIFICATE);
+ }
+ return NULL;
+ }
+ return SSL_get_peer_certificate(s);
+}
+
char *
ldap_pvt_tls_get_peer( void *s )
{
X509_NAME *xn;
char buf[2048], *p;
- /* If peer cert was bad, treat as if no cert was given */
- if (SSL_get_verify_result((SSL *)s))
- return NULL;
- x = SSL_get_peer_certificate((SSL *)s);
+ x = tls_get_cert((SSL *)s);
if (!x)
return NULL;
X509_NAME *xn;
char buf[2048], *p, *dn;
- if (SSL_get_verify_result((SSL *)s))
- return NULL;
-
- x = SSL_get_peer_certificate((SSL *)s);
+ x = tls_get_cert((SSL *)s);
if (!x) return NULL;
char buf[2048], *p;
int ret;
- if (SSL_get_verify_result((SSL *)s))
- return NULL;
-
- x = SSL_get_peer_certificate((SSL *)s);
+ x = tls_get_cert((SSL *)s);
if (!x)
return NULL;
name = name_in;
}
- if (SSL_get_verify_result((SSL *)s))
- return LDAP_CONNECT_ERROR;
-
- x = SSL_get_peer_certificate((SSL *)s);
+ x = tls_get_cert((SSL *)s);
if (!x)
{
Debug( LDAP_DEBUG_ANY,
sname = X509_NAME_oneline( subject, NULL, 0 );
iname = X509_NAME_oneline( issuer, NULL, 0 );
Debug( LDAP_DEBUG_TRACE,
- "TLS certificate verification: depth: %d, subject: %s, issuer: %s\n",
- errdepth,
- sname ? sname : "-unknown-",
- iname ? iname : "-unknown-" );
+ "TLS certificate verification: depth: %d, err: %d, subject: %s,",
+ errdepth, errnum,
+ sname ? sname : "-unknown-" );
+ Debug( LDAP_DEBUG_TRACE, " issuer: %s\n", iname ? iname : "-unknown-", 0, 0 );
if ( sname )
CRYPTO_free ( sname );
if ( iname )
projects / openldap / commitdiff