Incluindo opção de configuração para não aceitar conexões em hosts

que apresentarem certificados SSL auto assinados.

Incluindo opção de configuração para não aceitar conexões em hosts
que apresentarem certificados SSL auto assinados.
Perry Werneck
1 parent efa4ab24
Showing 3 changed files with 25 additions and 0 deletions Show diff stats
configure.ac
src/include/config.h.in
src/lib3270/ssl.c
@@ -321,6 +321,23 @@ if test $app_cv_fvisibility_ok = yes; then
 fi
  
 dnl ---------------------------------------------------------------------------
+dnl Allow self signed certificates in SSL connections?
+dnl ---------------------------------------------------------------------------
+
+AC_ARG_ENABLE([self-signed-certs],
+	[AS_HELP_STRING([--disable-self-signed-certs], [disable SSL connection when host presents a self signed certificate])],
+[
+	app_cv_self_signed_certs="$enableval"
+],[
+	app_cv_self_signed_certs="yes"
+])
+
+if test "$app_cv_self_signed_certs" == "yes"; then
+	AC_DEFINE(ENABLE_SELF_SIGNED_CERT)
+fi
+
+
+dnl ---------------------------------------------------------------------------
 dnl Check for pic
 dnl ---------------------------------------------------------------------------
 AC_ARG_ENABLE([pic],
@@ -49,6 +49,8 @@
 	#undef HAVE_ICONV
 	#undef ICONV_CONST
  
+	#undef ENABLE_SELF_SIGNED_CERT
+
 #ifdef WIN32
 	#undef HAVE_WIN_REGISTRY
 #endif // HAVE_WIN_REGISTRY
@@ -136,7 +136,13 @@ int ssl_negotiate(H3270 *hSession)
 	case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
 		peer = SSL_get_peer_certificate(hSession->ssl_con);
 		trace_dsn(hSession,"%s","TLS/SSL negotiated connection complete with self signed certificate in certificate chain\n" );
+
+#ifdef ENABLE_SELF_SIGNED_CERT
 		break;
+#else
+		lib3270_disconnect(hSession);
+		return -1;
+#endif // ENABLE_SELF_SIGNED_CERT
  
 	default:
 		trace_dsn(hSession,"Unexpected or invalid TLS/SSL verify result %d\n",rv);
...	...	@@ -321,6 +321,23 @@ if test $app_cv_fvisibility_ok = yes; then
321	321	fi
322	322
323	323	dnl ---------------------------------------------------------------------------
	324	+dnl Allow self signed certificates in SSL connections?
	325	+dnl ---------------------------------------------------------------------------
	326	+
	327	+AC_ARG_ENABLE([self-signed-certs],
	328	+ [AS_HELP_STRING([--disable-self-signed-certs], [disable SSL connection when host presents a self signed certificate])],
	329	+[
	330	+ app_cv_self_signed_certs="$enableval"
	331	+],[
	332	+ app_cv_self_signed_certs="yes"
	333	+])
	334	+
	335	+if test "$app_cv_self_signed_certs" == "yes"; then
	336	+ AC_DEFINE(ENABLE_SELF_SIGNED_CERT)
	337	+fi
	338	+
	339	+
	340	+dnl ---------------------------------------------------------------------------
324	341	dnl Check for pic
325	342	dnl ---------------------------------------------------------------------------
326	343	AC_ARG_ENABLE([pic],
...	...
...	...	@@ -49,6 +49,8 @@
49	49	#undef HAVE_ICONV
50	50	#undef ICONV_CONST
51	51
	52	+ #undef ENABLE_SELF_SIGNED_CERT
	53	+
52	54	#ifdef WIN32
53	55	#undef HAVE_WIN_REGISTRY
54	56	#endif // HAVE_WIN_REGISTRY
...	...
...	...	@@ -136,7 +136,13 @@ int ssl_negotiate(H3270 *hSession)
136	136	case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
137	137	peer = SSL_get_peer_certificate(hSession->ssl_con);
138	138	trace_dsn(hSession,"%s","TLS/SSL negotiated connection complete with self signed certificate in certificate chain\n" );
	139	+
	140	+#ifdef ENABLE_SELF_SIGNED_CERT
139	141	break;
	142	+#else
	143	+ lib3270_disconnect(hSession);
	144	+ return -1;
	145	+#endif // ENABLE_SELF_SIGNED_CERT
140	146
141	147	default:
142	148	trace_dsn(hSession,"Unexpected or invalid TLS/SSL verify result %d\n",rv);
...	...