Incluindo opção para validação da lista de certificados SSL revogados

(CRL).

Incluindo opção para validação da lista de certificados SSL revogados
(CRL).
Perry Werneck
1 parent 8a8b871d
Showing 4 changed files with 21 additions and 15 deletions Show diff stats
configure.ac
pw3270.cbp
src/include/config.h.in
src/lib3270/ssl.c
@@ -325,7 +325,7 @@ if test $app_cv_fvisibility_ok = yes; then
 fi
  
 dnl ---------------------------------------------------------------------------
-dnl Allow self signed certificates in SSL connections?
+dnl SSL Security options
 dnl ---------------------------------------------------------------------------
  
 AC_ARG_ENABLE([self-signed-certs],
@@ -336,8 +336,20 @@ AC_ARG_ENABLE([self-signed-certs],
 	app_cv_self_signed_certs="yes"
 ])
  
+AC_ARG_WITH([ssl-crl-check],
+	[AS_HELP_STRING([--with-ssl-crl-check], [enable validation of the certificate revogation list in TN3270S connections])],
+[
+	app_cv_enable_crl_check="$withval"
+],[
+	app_cv_enable_crl_check="no"
+])
+
 if test "$app_cv_self_signed_certs" == "yes"; then
-	AC_DEFINE(ENABLE_SELF_SIGNED_CERT)
+	AC_DEFINE(SSL_ALLOW_SELF_SIGNED_CERT)
+fi
+
+if test "$app_cv_enable_crl_check" == "yes"; then
+	AC_DEFINE(SSL_ENABLE_CRL_CHECK)
 fi
  
  
@@ -62,24 +62,17 @@
 		<Unit filename="android/src/br/com/bb/pw3270/PW3270Activity.java" />
 		<Unit filename="android/src/br/com/bb/pw3270/lib3270.java" />
 		<Unit filename="autogen.sh" />
-		<Unit filename="colors.conf" />
 		<Unit filename="configure.ac" />
-		<Unit filename="debian.changelog" />
-		<Unit filename="debian.control" />
-		<Unit filename="debian.rules" />
-		<Unit filename="makedeb.sh" />
-		<Unit filename="makegtkruntime.sh.in" />
 		<Unit filename="man/man1/pw3270.1" />
-		<Unit filename="pw3270.spec.in" />
 		<Unit filename="src/classlib/Makefile.in" />
 		<Unit filename="src/classlib/class.mak.in" />
 		<Unit filename="src/classlib/private.h" />
+		<Unit filename="src/include/config.h.in" />
 		<Unit filename="src/include/lib3270.h" />
 		<Unit filename="src/include/lib3270/X11keysym.h" />
 		<Unit filename="src/include/lib3270/action_table.h" />
 		<Unit filename="src/include/lib3270/actions.h" />
 		<Unit filename="src/include/lib3270/charset.h" />
-		<Unit filename="src/include/lib3270/config.h.in" />
 		<Unit filename="src/include/lib3270/filetransfer.h" />
 		<Unit filename="src/include/lib3270/html.h" />
 		<Unit filename="src/include/lib3270/internals.h" />
@@ -49,7 +49,8 @@
 	#undef HAVE_ICONV
 	#undef ICONV_CONST
  
-	#undef ENABLE_SELF_SIGNED_CERT
+	#undef SSL_ALLOW_SELF_SIGNED_CERT
+	#undef SSL_ENABLE_CRL_CHECK
  
 #ifdef WIN32
 	#undef HAVE_WIN_REGISTRY
@@ -139,7 +139,7 @@ int ssl_negotiate(H3270 *hSession)
 		peer = SSL_get_peer_certificate(hSession->ssl_con);
 		trace_dsn(hSession,"%s","TLS/SSL negotiated connection complete with self signed certificate in certificate chain\n" );
  
-#ifdef ENABLE_SELF_SIGNED_CERT
+#ifdef SSL_ALLOW_SELF_SIGNED_CERT
 		break;
 #else
 		lib3270_disconnect(hSession);
@@ -151,7 +151,7 @@ int ssl_negotiate(H3270 *hSession)
 							);
  
 		return -1;
-#endif // ENABLE_SELF_SIGNED_CERT
+#endif // SSL_ALLOW_SELF_SIGNED_CERT
  
 	default:
 		trace_dsn(hSession,"Unexpected or invalid TLS/SSL verify result %d\n",rv);
@@ -255,7 +255,7 @@ int ssl_init(H3270 *hSession)
 		SSL_CTX_set_info_callback(ssl_ctx, ssl_info_callback);
 		SSL_CTX_set_default_verify_paths(ssl_ctx);
  
-		/*
+#if defined(SSL_ENABLE_CRL_CHECK)
 		// Set up CRL validation
 		// https://stackoverflow.com/questions/4389954/does-openssl-automatically-handle-crls-certificate-revocation-lists-now
 		X509_STORE *store = SSL_CTX_get_cert_store(ssl_ctx);
@@ -265,9 +265,9 @@ int ssl_init(H3270 *hSession)
 		X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK);
 		X509_STORE_set1_param(store, param);
 		X509_VERIFY_PARAM_free(param);
-		*/
  
 		// X509_STORE_free(store);
+#endif // SSL_ENABLE_CRL_CHECK
  
 #if defined(_WIN32)
 		{
...	...	@@ -325,7 +325,7 @@ if test $app_cv_fvisibility_ok = yes; then
325	325	fi
326	326
327	327	dnl ---------------------------------------------------------------------------
328		-dnl Allow self signed certificates in SSL connections?
	328	+dnl SSL Security options
329	329	dnl ---------------------------------------------------------------------------
330	330
331	331	AC_ARG_ENABLE([self-signed-certs],
...	...	@@ -336,8 +336,20 @@ AC_ARG_ENABLE([self-signed-certs],
336	336	app_cv_self_signed_certs="yes"
337	337	])
338	338
	339	+AC_ARG_WITH([ssl-crl-check],
	340	+ [AS_HELP_STRING([--with-ssl-crl-check], [enable validation of the certificate revogation list in TN3270S connections])],
	341	+[
	342	+ app_cv_enable_crl_check="$withval"
	343	+],[
	344	+ app_cv_enable_crl_check="no"
	345	+])
	346	+
339	347	if test "$app_cv_self_signed_certs" == "yes"; then
340		- AC_DEFINE(ENABLE_SELF_SIGNED_CERT)
	348	+ AC_DEFINE(SSL_ALLOW_SELF_SIGNED_CERT)
	349	+fi
	350	+
	351	+if test "$app_cv_enable_crl_check" == "yes"; then
	352	+ AC_DEFINE(SSL_ENABLE_CRL_CHECK)
341	353	fi
342	354
343	355
...	...
...	...	@@ -62,24 +62,17 @@
62	62	<Unit filename="android/src/br/com/bb/pw3270/PW3270Activity.java" />
63	63	<Unit filename="android/src/br/com/bb/pw3270/lib3270.java" />
64	64	<Unit filename="autogen.sh" />
65		- <Unit filename="colors.conf" />
66	65	<Unit filename="configure.ac" />
67		- <Unit filename="debian.changelog" />
68		- <Unit filename="debian.control" />
69		- <Unit filename="debian.rules" />
70		- <Unit filename="makedeb.sh" />
71		- <Unit filename="makegtkruntime.sh.in" />
72	66	<Unit filename="man/man1/pw3270.1" />
73		- <Unit filename="pw3270.spec.in" />
74	67	<Unit filename="src/classlib/Makefile.in" />
75	68	<Unit filename="src/classlib/class.mak.in" />
76	69	<Unit filename="src/classlib/private.h" />
	70	+ <Unit filename="src/include/config.h.in" />
77	71	<Unit filename="src/include/lib3270.h" />
78	72	<Unit filename="src/include/lib3270/X11keysym.h" />
79	73	<Unit filename="src/include/lib3270/action_table.h" />
80	74	<Unit filename="src/include/lib3270/actions.h" />
81	75	<Unit filename="src/include/lib3270/charset.h" />
82		- <Unit filename="src/include/lib3270/config.h.in" />
83	76	<Unit filename="src/include/lib3270/filetransfer.h" />
84	77	<Unit filename="src/include/lib3270/html.h" />
85	78	<Unit filename="src/include/lib3270/internals.h" />
...	...
...	...	@@ -49,7 +49,8 @@
49	49	#undef HAVE_ICONV
50	50	#undef ICONV_CONST
51	51
52		- #undef ENABLE_SELF_SIGNED_CERT
	52	+ #undef SSL_ALLOW_SELF_SIGNED_CERT
	53	+ #undef SSL_ENABLE_CRL_CHECK
53	54
54	55	#ifdef WIN32
55	56	#undef HAVE_WIN_REGISTRY
...	...
...	...	@@ -139,7 +139,7 @@ int ssl_negotiate(H3270 *hSession)
139	139	peer = SSL_get_peer_certificate(hSession->ssl_con);
140	140	trace_dsn(hSession,"%s","TLS/SSL negotiated connection complete with self signed certificate in certificate chain\n" );
141	141
142		-#ifdef ENABLE_SELF_SIGNED_CERT
	142	+#ifdef SSL_ALLOW_SELF_SIGNED_CERT
143	143	break;
144	144	#else
145	145	lib3270_disconnect(hSession);
...	...	@@ -151,7 +151,7 @@ int ssl_negotiate(H3270 *hSession)
151	151	);
152	152
153	153	return -1;
154		-#endif // ENABLE_SELF_SIGNED_CERT
	154	+#endif // SSL_ALLOW_SELF_SIGNED_CERT
155	155
156	156	default:
157	157	trace_dsn(hSession,"Unexpected or invalid TLS/SSL verify result %d\n",rv);
...	...	@@ -255,7 +255,7 @@ int ssl_init(H3270 *hSession)
255	255	SSL_CTX_set_info_callback(ssl_ctx, ssl_info_callback);
256	256	SSL_CTX_set_default_verify_paths(ssl_ctx);
257	257
258		- /*
	258	+#if defined(SSL_ENABLE_CRL_CHECK)
259	259	// Set up CRL validation
260	260	// https://stackoverflow.com/questions/4389954/does-openssl-automatically-handle-crls-certificate-revocation-lists-now
261	261	X509_STORE *store = SSL_CTX_get_cert_store(ssl_ctx);
...	...	@@ -265,9 +265,9 @@ int ssl_init(H3270 *hSession)
265	265	X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK);
266	266	X509_STORE_set1_param(store, param);
267	267	X509_VERIFY_PARAM_free(param);
268		- */
269	268
270	269	// X509_STORE_free(store);
	270	+#endif // SSL_ENABLE_CRL_CHECK
271	271
272	272	#if defined(_WIN32)
273	273	{
...	...