summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRomain DEP <rom1dep@gmail.com>2018-07-21 20:27:49 +0200
committerlouiz’ <louiz@louiz.org>2018-07-22 14:38:51 +0200
commit85288fd0b31027e7948180e0e057242e13f15da4 (patch)
tree3de9cd42529497b9289fa87f114da17aac6edafd
parent458ea53db3edc7318e88a2612baa793a1232cc75 (diff)
downloadbiboumi-85288fd0b31027e7948180e0e057242e13f15da4.tar.gz
biboumi-85288fd0b31027e7948180e0e057242e13f15da4.tar.bz2
biboumi-85288fd0b31027e7948180e0e057242e13f15da4.tar.xz
biboumi-85288fd0b31027e7948180e0e057242e13f15da4.zip
add 'verify_certificate' as possible configuration token for policy files
This lets the user configure a per-domain certificate validation policy
-rw-r--r--src/network/tcp_socket_handler.cpp5
-rw-r--r--src/network/tls_policy.cpp7
-rw-r--r--src/network/tls_policy.hpp2
3 files changed, 14 insertions, 0 deletions
diff --git a/src/network/tcp_socket_handler.cpp b/src/network/tcp_socket_handler.cpp
index 642cf03..c6e173d 100644
--- a/src/network/tcp_socket_handler.cpp
+++ b/src/network/tcp_socket_handler.cpp
@@ -332,6 +332,11 @@ void TCPSocketHandler::tls_verify_cert_chain(const std::vector<Botan::X509_Certi
Botan::Usage_Type usage, const std::string& hostname,
const Botan::TLS::Policy& policy)
{
+ if (!this->policy.verify_certificate_info())
+ {
+ log_debug("Not verifying certificate due to domain policy ");
+ return;
+ }
log_debug("Checking remote certificate for hostname ", hostname);
try
{
diff --git a/src/network/tls_policy.cpp b/src/network/tls_policy.cpp
index b88eb88..8aa8b72 100644
--- a/src/network/tls_policy.cpp
+++ b/src/network/tls_policy.cpp
@@ -37,6 +37,8 @@ void BiboumiTLSPolicy::load(std::istream& is)
// Workaround for options that are not overridden in Botan::TLS::Text_Policy
if (pair.first == "require_cert_revocation_info")
this->req_cert_revocation_info = !(pair.second == "0" || utils::tolower(pair.second) == "false");
+ else if (pair.first == "verify_certificate")
+ this->verify_certificate = !(pair.second == "0" || utils::tolower(pair.second) == "false");
else
this->set(pair.first, pair.second);
}
@@ -47,4 +49,9 @@ bool BiboumiTLSPolicy::require_cert_revocation_info() const
return this->req_cert_revocation_info;
}
+bool BiboumiTLSPolicy::verify_certificate_info() const
+{
+ return this->verify_certificate;
+}
+
#endif
diff --git a/src/network/tls_policy.hpp b/src/network/tls_policy.hpp
index 29fd2b3..a0790a3 100644
--- a/src/network/tls_policy.hpp
+++ b/src/network/tls_policy.hpp
@@ -21,8 +21,10 @@ public:
BiboumiTLSPolicy &operator=(BiboumiTLSPolicy &&) = delete;
bool require_cert_revocation_info() const override;
+ bool verify_certificate_info() const;
protected:
bool req_cert_revocation_info{true};
+ bool verify_certificate{true};
};
#endif