Commit 5a6856ae951a34d1de64526f44f9051e8a156b0a
1 parent
02c53c4d
Exists in
master
and in
5 other branches
Incluindo popup quando o CRL não for localizado; facilita a
identificação de erros de conexão segura.
Showing
1 changed file
with
32 additions
and
14 deletions
Show diff stats
src/lib3270/ssl.c
| ... | ... | @@ -135,6 +135,17 @@ int ssl_negotiate(H3270 *hSession) |
| 135 | 135 | trace_dsn(hSession,"TLS/SSL negotiated connection complete. Peer certificate %s presented.\n", peer ? "was" : "was not"); |
| 136 | 136 | break; |
| 137 | 137 | |
| 138 | + case X509_V_ERR_UNABLE_TO_GET_CRL: | |
| 139 | + trace_dsn(hSession,"%s","The CRL of a certificate could not be found.\n" ); | |
| 140 | + lib3270_disconnect(hSession); | |
| 141 | + lib3270_popup_dialog( hSession, | |
| 142 | + LIB3270_NOTIFY_ERROR, | |
| 143 | + _( "SSL error" ), | |
| 144 | + _( "Unable to get certificate CRL." ), | |
| 145 | + _( "The CRL of a certificate could not be found." ) | |
| 146 | + ); | |
| 147 | + return -1; | |
| 148 | + | |
| 138 | 149 | case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: |
| 139 | 150 | peer = SSL_get_peer_certificate(hSession->ssl_con); |
| 140 | 151 | trace_dsn(hSession,"%s","TLS/SSL negotiated connection complete with self signed certificate in certificate chain\n" ); |
| ... | ... | @@ -255,20 +266,6 @@ int ssl_init(H3270 *hSession) |
| 255 | 266 | SSL_CTX_set_info_callback(ssl_ctx, ssl_info_callback); |
| 256 | 267 | SSL_CTX_set_default_verify_paths(ssl_ctx); |
| 257 | 268 | |
| 258 | -#if defined(SSL_ENABLE_CRL_CHECK) | |
| 259 | - // Set up CRL validation | |
| 260 | - // https://stackoverflow.com/questions/4389954/does-openssl-automatically-handle-crls-certificate-revocation-lists-now | |
| 261 | - X509_STORE *store = SSL_CTX_get_cert_store(ssl_ctx); | |
| 262 | - | |
| 263 | - // Enable CRL checking | |
| 264 | - X509_VERIFY_PARAM *param = X509_VERIFY_PARAM_new(); | |
| 265 | - X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK); | |
| 266 | - X509_STORE_set1_param(store, param); | |
| 267 | - X509_VERIFY_PARAM_free(param); | |
| 268 | - | |
| 269 | - // X509_STORE_free(store); | |
| 270 | -#endif // SSL_ENABLE_CRL_CHECK | |
| 271 | - | |
| 272 | 269 | #if defined(_WIN32) |
| 273 | 270 | { |
| 274 | 271 | HKEY hKey = 0; |
| ... | ... | @@ -331,6 +328,27 @@ int ssl_init(H3270 *hSession) |
| 331 | 328 | |
| 332 | 329 | #endif // _WIN32 |
| 333 | 330 | |
| 331 | +#if defined(SSL_ENABLE_CRL_CHECK) | |
| 332 | + // Set up CRL validation | |
| 333 | + // https://stackoverflow.com/questions/4389954/does-openssl-automatically-handle-crls-certificate-revocation-lists-now | |
| 334 | + X509_STORE *store = SSL_CTX_get_cert_store(ssl_ctx); | |
| 335 | + | |
| 336 | + // Enable CRL checking | |
| 337 | + X509_VERIFY_PARAM *param = X509_VERIFY_PARAM_new(); | |
| 338 | + X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK); | |
| 339 | + X509_STORE_set1_param(store, param); | |
| 340 | + X509_VERIFY_PARAM_free(param); | |
| 341 | + | |
| 342 | + // X509_STORE_free(store); | |
| 343 | + | |
| 344 | + trace_dsn(hSession,"CRL CHECK is enabled.\n"); | |
| 345 | + | |
| 346 | +#else | |
| 347 | + | |
| 348 | + trace_dsn(hSession,"CRL CHECK is disabled.\n"); | |
| 349 | + | |
| 350 | +#endif // SSL_ENABLE_CRL_CHECK | |
| 351 | + | |
| 334 | 352 | ssl_3270_ex_index = SSL_get_ex_new_index(0,NULL,NULL,NULL,NULL); |
| 335 | 353 | |
| 336 | 354 | ... | ... |