Download as
Browse Code »

Commit 5a6856ae951a34d1de64526f44f9051e8a156b0a

Authored by Perry Werneck
1 parent 02c53c4d
Exists in master and in 5 other branches develop, edit-header-bar, keypads, script-support, v5.2

Incluindo popup quando o CRL não for localizado; facilita a 

identificação de erros de conexão segura.
Showing 1 changed file with 32 additions and 14 deletions   Show diff stats
src/lib3270/ssl.c
  Diff comments   View file @5a6856a
@@ -135,6 +135,17 @@ int ssl_negotiate(H3270 *hSession) @@ -135,6 +135,17 @@ int ssl_negotiate(H3270 *hSession)
135 trace_dsn(hSession,"TLS/SSL negotiated connection complete. Peer certificate %s presented.\n", peer ? "was" : "was not"); 135 trace_dsn(hSession,"TLS/SSL negotiated connection complete. Peer certificate %s presented.\n", peer ? "was" : "was not");
136 break; 136 break;
137 137
  138 + case X509_V_ERR_UNABLE_TO_GET_CRL:
  139 + trace_dsn(hSession,"%s","The CRL of a certificate could not be found.\n" );
  140 + lib3270_disconnect(hSession);
  141 + lib3270_popup_dialog( hSession,
  142 + LIB3270_NOTIFY_ERROR,
  143 + _( "SSL error" ),
  144 + _( "Unable to get certificate CRL." ),
  145 + _( "The CRL of a certificate could not be found." )
  146 + );
  147 + return -1;
  148 +
138 case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: 149 case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
139 peer = SSL_get_peer_certificate(hSession->ssl_con); 150 peer = SSL_get_peer_certificate(hSession->ssl_con);
140 trace_dsn(hSession,"%s","TLS/SSL negotiated connection complete with self signed certificate in certificate chain\n" ); 151 trace_dsn(hSession,"%s","TLS/SSL negotiated connection complete with self signed certificate in certificate chain\n" );
@@ -255,20 +266,6 @@ int ssl_init(H3270 *hSession) @@ -255,20 +266,6 @@ int ssl_init(H3270 *hSession)
255 SSL_CTX_set_info_callback(ssl_ctx, ssl_info_callback); 266 SSL_CTX_set_info_callback(ssl_ctx, ssl_info_callback);
256 SSL_CTX_set_default_verify_paths(ssl_ctx); 267 SSL_CTX_set_default_verify_paths(ssl_ctx);
257 268
258 -#if defined(SSL_ENABLE_CRL_CHECK)  
259 - // Set up CRL validation  
260 - // https://stackoverflow.com/questions/4389954/does-openssl-automatically-handle-crls-certificate-revocation-lists-now  
261 - X509_STORE *store = SSL_CTX_get_cert_store(ssl_ctx);  
262 -  
263 - // Enable CRL checking  
264 - X509_VERIFY_PARAM *param = X509_VERIFY_PARAM_new();  
265 - X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK);  
266 - X509_STORE_set1_param(store, param);  
267 - X509_VERIFY_PARAM_free(param);  
268 -  
269 - // X509_STORE_free(store);  
270 -#endif // SSL_ENABLE_CRL_CHECK  
271 -  
272 #if defined(_WIN32) 269 #if defined(_WIN32)
273 { 270 {
274 HKEY hKey = 0; 271 HKEY hKey = 0;
@@ -331,6 +328,27 @@ int ssl_init(H3270 *hSession) @@ -331,6 +328,27 @@ int ssl_init(H3270 *hSession)
331 328
332 #endif // _WIN32 329 #endif // _WIN32
333 330
  331 +#if defined(SSL_ENABLE_CRL_CHECK)
  332 + // Set up CRL validation
  333 + // https://stackoverflow.com/questions/4389954/does-openssl-automatically-handle-crls-certificate-revocation-lists-now
  334 + X509_STORE *store = SSL_CTX_get_cert_store(ssl_ctx);
  335 +
  336 + // Enable CRL checking
  337 + X509_VERIFY_PARAM *param = X509_VERIFY_PARAM_new();
  338 + X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK);
  339 + X509_STORE_set1_param(store, param);
  340 + X509_VERIFY_PARAM_free(param);
  341 +
  342 + // X509_STORE_free(store);
  343 +
  344 + trace_dsn(hSession,"CRL CHECK is enabled.\n");
  345 +
  346 +#else
  347 +
  348 + trace_dsn(hSession,"CRL CHECK is disabled.\n");
  349 +
  350 +#endif // SSL_ENABLE_CRL_CHECK
  351 +
334 ssl_3270_ex_index = SSL_get_ex_new_index(0,NULL,NULL,NULL,NULL); 352 ssl_3270_ex_index = SSL_get_ex_new_index(0,NULL,NULL,NULL,NULL);
335 353
336 354