summaryrefslogtreecommitdiffstats
path: root/src/PolarSSL++
diff options
context:
space:
mode:
authormadmaxoft <github@xoft.cz>2014-04-28 21:16:32 +0200
committermadmaxoft <github@xoft.cz>2014-04-28 21:16:32 +0200
commit16b3eae8623916fa7bc2cd9cad292bbad8d6a116 (patch)
tree85c81bb6f48178740098ddf008f5c1fe6d7dc1e5 /src/PolarSSL++
parentReordered constructors. (diff)
downloadcuberite-16b3eae8623916fa7bc2cd9cad292bbad8d6a116.tar
cuberite-16b3eae8623916fa7bc2cd9cad292bbad8d6a116.tar.gz
cuberite-16b3eae8623916fa7bc2cd9cad292bbad8d6a116.tar.bz2
cuberite-16b3eae8623916fa7bc2cd9cad292bbad8d6a116.tar.lz
cuberite-16b3eae8623916fa7bc2cd9cad292bbad8d6a116.tar.xz
cuberite-16b3eae8623916fa7bc2cd9cad292bbad8d6a116.tar.zst
cuberite-16b3eae8623916fa7bc2cd9cad292bbad8d6a116.zip
Diffstat (limited to '')
-rw-r--r--src/PolarSSL++/SslContext.cpp62
-rw-r--r--src/PolarSSL++/SslContext.h3
2 files changed, 65 insertions, 0 deletions
diff --git a/src/PolarSSL++/SslContext.cpp b/src/PolarSSL++/SslContext.cpp
index e7fa11c75..1994cf844 100644
--- a/src/PolarSSL++/SslContext.cpp
+++ b/src/PolarSSL++/SslContext.cpp
@@ -64,7 +64,12 @@ int cSslContext::Initialize(bool a_IsClient, const SharedPtr<cCtrDrbgContext> &
ssl_set_bio(&m_Ssl, ReceiveEncrypted, this, SendEncrypted, this);
#ifdef _DEBUG
+ /*
+ // These functions allow us to debug SSL and certificate problems, but produce way too much output,
+ // so they're disabled until someone needs them
ssl_set_dbg(&m_Ssl, &SSLDebugMessage, this);
+ ssl_set_verify(&m_Ssl, &SSLVerifyCert, this);
+ */
#endif
m_IsValid = true;
@@ -174,6 +179,63 @@ int cSslContext::NotifyClose(void)
LOGD("SSL (%d): %s", a_Level, Text.c_str());
}
+
+
+
+
+
+ int cSslContext::SSLVerifyCert(void * a_This, x509_crt * a_Crt, int a_Depth, int * a_Flags)
+ {
+ char buf[1024];
+ UNUSED(a_This);
+
+ LOG("Verify requested for (Depth %d):", a_Depth);
+ x509_crt_info(buf, sizeof(buf) - 1, "", a_Crt);
+ LOG("%s", buf);
+
+ int Flags = *a_Flags;
+ if ((Flags & BADCERT_EXPIRED) != 0)
+ {
+ LOG(" ! server certificate has expired");
+ }
+
+ if ((Flags & BADCERT_REVOKED) != 0)
+ {
+ LOG(" ! server certificate has been revoked");
+ }
+
+ if ((Flags & BADCERT_CN_MISMATCH) != 0)
+ {
+ LOG(" ! CN mismatch");
+ }
+
+ if ((Flags & BADCERT_NOT_TRUSTED) != 0)
+ {
+ LOG(" ! self-signed or not signed by a trusted CA");
+ }
+
+ if ((Flags & BADCRL_NOT_TRUSTED) != 0)
+ {
+ LOG(" ! CRL not trusted");
+ }
+
+ if ((Flags & BADCRL_EXPIRED) != 0)
+ {
+ LOG(" ! CRL expired");
+ }
+
+ if ((Flags & BADCERT_OTHER) != 0)
+ {
+ LOG(" ! other (unknown) flag");
+ }
+
+ if (Flags == 0)
+ {
+ LOG(" This certificate has no flags");
+ }
+
+ return 0;
+ }
#endif // _DEBUG
diff --git a/src/PolarSSL++/SslContext.h b/src/PolarSSL++/SslContext.h
index 6effdcaea..85add5f8b 100644
--- a/src/PolarSSL++/SslContext.h
+++ b/src/PolarSSL++/SslContext.h
@@ -120,6 +120,9 @@ protected:
#ifdef _DEBUG
/** The callback used by PolarSSL to output debug messages */
static void SSLDebugMessage(void * a_UserParam, int a_Level, const char * a_Text);
+
+ /** The callback used by PolarSSL to log information on the cert chain */
+ static int SSLVerifyCert(void * a_This, x509_crt * a_Crt, int a_Depth, int * a_Flags);
#endif // _DEBUG
/** Called when PolarSSL wants to read encrypted data. */