diff --git a/configure.ac b/configure.ac index ffe4c1c..b57949a 100644 --- a/configure.ac +++ b/configure.ac @@ -341,20 +341,20 @@ dnl --------------------------------------------------------------------------- dnl SSL Security options dnl --------------------------------------------------------------------------- -AC_ARG_ENABLE([self-signed-certs], - [AS_HELP_STRING([--disable-self-signed-certs], [disable SSL connection when host presents a self signed certificate])], +AC_ARG_ENABLE([self-signed-cert-check], + [AS_HELP_STRING([--enable-self-signed-cert-check], [Reject SSL connection when host presents a self signed certificate])], [ app_cv_self_signed_certs="$enableval" ],[ - app_cv_self_signed_certs="yes" + app_cv_self_signed_certs="no" ]) if test "$app_cv_self_signed_certs" == "yes"; then - AC_DEFINE(SSL_ALLOW_SELF_SIGNED_CERT) + AC_DEFINE(SSL_ENABLE_SELF_SIGNED_CERT_CHECK) fi -AC_ARG_ENABLE([expired-crl], - [AS_HELP_STRING([--disable-expired-crl], [disable SSL connection when host presents an expired certificate revocation list])], +AC_ARG_ENABLE([crl-expiration-check], + [AS_HELP_STRING([--enable-crl-expiration-check], [Reject SSL connection when host presents an expired certificate revocation list])], [ app_cv_expired_crl="$enableval" ],[ @@ -362,7 +362,7 @@ AC_ARG_ENABLE([expired-crl], ]) if test "$app_cv_expired_crl" == "yes"; then - AC_DEFINE(SSL_ALLOW_EXPIRED_CRL) + AC_DEFINE(SSL_ENABLE_CRL_EXPIRATION_CHECK) fi @@ -378,7 +378,13 @@ if test "$app_cv_enable_crl_check" == "yes"; then AC_DEFINE(SSL_ENABLE_CRL_CHECK) fi -AC_ARG_WITH([default-crl], [AS_HELP_STRING([--with-default-crl], [Set lib3270 default crl url])], [ AC_DEFINE_UNQUOTED(LIB3270_DEFAULT_CRL,"$withval") ],[ AC_MSG_NOTICE(No default crl)]) +AC_ARG_WITH([default-crl-url], + [AS_HELP_STRING([--with-default-crl-url], [Set lib3270 default crl url])], +[ + AC_DEFINE_UNQUOTED(SSL_DEFAULT_CRL_URL,"$withval") +],[ + AC_MSG_NOTICE(No default crl url) +]) dnl --------------------------------------------------------------------------- dnl Check for pic diff --git a/lib3270.cbp b/lib3270.cbp index e405eb9..0d78c40 100644 --- a/lib3270.cbp +++ b/lib3270.cbp @@ -39,7 +39,6 @@ - diff --git a/src/include/config.h.in b/src/include/config.h.in index 7ae17a0..b0a13fa 100644 --- a/src/include/config.h.in +++ b/src/include/config.h.in @@ -53,10 +53,12 @@ /* Security options */ #undef HAVE_LDAP #undef HAVE_LIBSSL - #undef SSL_ALLOW_SELF_SIGNED_CERT - #undef SSL_ALLOW_EXPIRED_CRL + + #undef SSL_ENABLE_SELF_SIGNED_CERT_CHECK + #undef SSL_ENABLE_CRL_CHECK - #undef LIB3270_DEFAULT_CRL + #undef SSL_ENABLE_CRL_EXPIRATION_CHECK + #undef SSL_DEFAULT_CRL_URL /* Windows Options */ #ifdef WIN32 diff --git a/src/lib3270/properties.c b/src/lib3270/properties.c index 0840c25..b9c4a2b 100644 --- a/src/lib3270/properties.c +++ b/src/lib3270/properties.c @@ -298,11 +298,11 @@ if(hSession->ssl.crl) return hSession->ssl.crl; -#ifdef LIB3270_DEFAULT_CRL - return LIB3270_DEFAULT_CRL; +#ifdef SSL_DEFAULT_CRL_URL + return SSL_DEFAULT_CRL_URL; #else return getenv("LIB3270_DEFAULT_CRL"); -#endif // LIB3270_DEFAULT_CRL +#endif // SSL_DEFAULT_CRL_URL #else errno = ENOTSUP; @@ -310,7 +310,6 @@ #endif } - int lib3270_set_crl_url(H3270 *hSession, const char *crl) { diff --git a/src/lib3270/ssl/negotiate.c b/src/lib3270/ssl/negotiate.c index 94f365f..a01beca 100644 --- a/src/lib3270/ssl/negotiate.c +++ b/src/lib3270/ssl/negotiate.c @@ -195,14 +195,14 @@ static int background_ssl_negotiation(H3270 *hSession, void *message) case X509_V_ERR_CRL_HAS_EXPIRED: trace_ssl(hSession,"%s","The CRL of a certificate has expired.\n" ); -#ifdef SSL_ALLOW_EXPIRED_CRL - break; -#else +#ifdef SSL_ENABLE_CRL_EXPIRATION_CHECK ((SSL_ERROR_MESSAGE *) message)->title = _( "SSL error" ); ((SSL_ERROR_MESSAGE *) message)->text = _( "The CRL has expired." ); ((SSL_ERROR_MESSAGE *) message)->description = _( "The Certificate revocation list (CRL) has expired." ); return -1; -#endif // SSL_ALLOW_EXPIRED_CRL +#else + break; +#endif // SSL_ENABLE_CRL_EXPIRATION_CHECK case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: @@ -211,14 +211,14 @@ static int background_ssl_negotiation(H3270 *hSession, void *message) debug("%s","TLS/SSL negotiated connection complete with self signed certificate in certificate chain" ); trace_ssl(hSession,"%s","TLS/SSL negotiated connection complete with self signed certificate in certificate chain\n" ); -#ifdef SSL_ALLOW_SELF_SIGNED_CERT - break; -#else +#ifdef SSL_ENABLE_SELF_SIGNED_CERT_CHECK ((SSL_ERROR_MESSAGE *) message)->title = _( "SSL error" ); ((SSL_ERROR_MESSAGE *) message)->text = _( "The SSL certificate for this host is not trusted." ); ((SSL_ERROR_MESSAGE *) message)->description = _( "The security certificate presented by this host was not issued by a trusted certificate authority." ); return -1; -#endif // SSL_ALLOW_SELF_SIGNED_CERT +#else + break; +#endif // SSL_ENABLE_SELF_SIGNED_CERT_CHECK default: -- libgit2 0.21.2