Adjustments in TLS subsystem

Perry Werneck
1 parent 68f79a5b
Showing 8 changed files with 139 additions and 60 deletions Show diff stats
src/core/connect.c
src/core/linux/connect.c
src/core/telnet.c
src/include/internals.h
src/include/networking.h
src/network_modules/openssl/main.c
src/network_modules/openssl/messages.c
src/network_modules/state.c
@@ -136,6 +136,20 @@
  }
+ void lib3270_notify_tls(H3270 *hSession) {
+
+	// Negotiation complete is the connection secure?
+	if(hSession->ssl.message->type != LIB3270_NOTIFY_INFO) {
+
+		// Ask user what I can do!
+		if(lib3270_popup_translated(hSession,(const LIB3270_POPUP *) hSession->ssl.message,1) == ECANCELED) {
+			lib3270_disconnect(hSession);
+		}
+
+	}
+
+ }
+
  int lib3270_start_tls(H3270 *hSession)
  {
 	hSession->ssl.message = NULL;	// Reset message.
@@ -184,27 +198,7 @@
 		return rc;
 	}
-	// Negotiation complete is the connection secure?
-	if(hSession->ssl.message->type == LIB3270_NOTIFY_INFO) {
-
-		// Yes! The message was only informational.
-		set_ssl_state(hSession,LIB3270_SSL_SECURE);
-
-	} else {
-
-		// No! The negotiation completed with a warning or error.
-		set_ssl_state(hSession,LIB3270_SSL_NEGOTIATED);
-
-		// Ask user what I can do!
-		debug("********************* [%s]",hSession->ssl.message->name);
-		debug("********************* [%s]",hSession->ssl.message->label);
-
-		if(lib3270_popup_translated(hSession,(const LIB3270_POPUP *) hSession->ssl.message,1) == ECANCELED) {
-			return ECANCELED;
-		}
-
-	}
-
+	set_ssl_state(hSession,(hSession->ssl.message->type == LIB3270_NOTIFY_INFO ? LIB3270_SSL_SECURE : LIB3270_SSL_NEGOTIATED));
 	non_blocking(hSession,True);
 	return 0;
@@ -192,6 +192,8 @@
 	lib3270_setup_session(hSession);
 	lib3270_set_connected_initial(hSession);
+	lib3270_notify_tls(hSession);
+
  }
  int net_reconnect(H3270 *hSession, int seconds)
@@ -402,6 +402,7 @@ static int net_connected(H3270 *hSession)
 	}
 	lib3270_setup_session(hSession);
+	lib3270_notify_tls(hSession);
 	return 0;
 }
@@ -1053,7 +1054,12 @@ static void continue_tls(H3270 *hSession, unsigned char *sbbuf, int len)
 	trace_dsn(hSession,"%s FOLLOWS %s\n", opt(TELOPT_STARTTLS), cmd(SE));
 	hSession->ssl.host = 1;	// Set host type as SSL.
-	lib3270_start_tls(hSession);
+	if(lib3270_start_tls(hSession)) {
+		lib3270_disconnect(hSession);
+		return;
+	}
+
+	lib3270_notify_tls(hSession);
 }
@@ -870,6 +870,9 @@ LIB3270_INTERNAL void	set_ssl_state(H3270 *session, LIB3270_SSL_STATE state);
 	///
 	LIB3270_INTERNAL int lib3270_start_tls(H3270 *hSession);
+	LIB3270_INTERNAL void lib3270_notify_tls(H3270 *hSession);
+
+
 	/**
 	 * @brief Emit translated popup message.
 	 *
@@ -147,6 +147,16 @@
 		/// @brief Get socket options.
 		int (*getsockopt)(H3270 *hSession, int level, int optname, void *optval, socklen_t *optlen);
+		/// @brief Get Peer certificate.
+		///
+		/// @return String with the peer certificate (release it with lib3270_free); NULL if not available.
+		char * (*getcert)(const H3270 *hSession);
+
+		/// @brief Get CRL.
+		///
+		/// @return String with the CRL certificate (release it with lib3270_free); NULL if not available.
+		char * (*getcrl)(const H3270 *hSession);
+
 	} LIB3270_NET_MODULE;
 	/**
@@ -203,6 +203,62 @@ static int openssl_network_getsockopt(H3270 *hSession, int level, int optname, v
 	return getsockopt(hSession->network.context->sock, level, optname, optval, optlen);
 }
+static char * openssl_network_getcert(const H3270 *hSession) {
+
+	LIB3270_NET_CONTEXT * context = hSession->network.context;
+
+	if(context && context->con) {
+		lib3270_autoptr(X509) peer = SSL_get_peer_certificate(context->con);
+
+		if(peer) {
+
+			lib3270_autoptr(BIO)	  out = BIO_new(BIO_s_mem());
+			unsigned char			* data;
+			unsigned char			* text;
+			int						  n;
+
+			X509_print(out,peer);
+
+			n		= BIO_get_mem_data(out, &data);
+			text	= (unsigned char *) lib3270_malloc(n+1);
+			memcpy(text,data,n);
+			text[n]	='\0';
+
+			return (char *) text;
+		}
+	}
+
+	errno = ENOTCONN;
+	return NULL;
+}
+
+static char * openssl_network_getcrl(const H3270 *hSession) {
+
+	LIB3270_NET_CONTEXT * context = hSession->network.context;
+
+	if(context->crl.cert) {
+
+		lib3270_autoptr(BIO)	  out = BIO_new(BIO_s_mem());
+		unsigned char			* data;
+		unsigned char			* text;
+		int						  n;
+
+		X509_print(out,context->crl.cert);
+
+		n		= BIO_get_mem_data(out, &data);
+		text	= (unsigned char *) lib3270_malloc(n+1);
+		memcpy(text,data,n);
+		text[n]	='\0';
+
+		return (char *) text;
+
+	}
+
+	errno = ENOENT;
+	return NULL;
+
+}
+
 static int openssl_network_init(H3270 *hSession) {
 	set_ssl_state(hSession,LIB3270_SSL_UNDEFINED);
@@ -283,7 +339,9 @@ void lib3270_set_libssl_network_module(H3270 *hSession) {
 		.is_connected = openssl_network_is_connected,
 		.getsockname = openssl_network_getsockname,
 		.setsockopt = openssl_network_setsockopt,
-		.getsockopt = openssl_network_getsockopt
+		.getsockopt = openssl_network_getsockopt,
+		.getcert = openssl_network_getcert,
+		.getcrl	= openssl_network_getcrl
 	};
  	debug("%s",__FUNCTION__);
@@ -56,7 +56,7 @@ const LIB3270_SSL_MESSAGE * lib3270_openssl_message_from_id(long id) {
 		{
 			.id = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT,
 			.message = {
-				.type = LIB3270_NOTIFY_ERROR,
+				.type = LIB3270_NOTIFY_SECURE,
 				.icon = "dialog-error",
 				.summary = N_( "Unable to get issuer certificate" ),
 				.body = N_( "The issuer certificate of a looked up certificate could not be found. This normally means the list of trusted certificates is not complete." )
@@ -66,8 +66,12 @@ const LIB3270_SSL_MESSAGE * lib3270_openssl_message_from_id(long id) {
 		{
 			.id = X509_V_ERR_UNABLE_TO_GET_CRL,
 			.message = {
+#ifdef SSL_ENABLE_CRL_CHECK
+				.type = LIB3270_NOTIFY_SECURE,
+#else
+				.type = LIB3270_NOTIFY_INFO,
+#endif // SSL_ENABLE_CRL_CHECK
 				.name = "X509UnableToGetCRL",
-				.type = LIB3270_NOTIFY_ERROR,
 				.icon = "security-low",
 				.summary = N_( "Unable to get certificate CRL." ),
 				.body = N_( "The Certificate revocation list (CRL) of a certificate could not be found." ),
@@ -78,7 +82,7 @@ const LIB3270_SSL_MESSAGE * lib3270_openssl_message_from_id(long id) {
 		{
 			.id = X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE,
 			.message = {
-				.type = LIB3270_NOTIFY_ERROR,
+				.type = LIB3270_NOTIFY_SECURE,
 				.icon = "dialog-error",
 				.summary = N_( "Unable to decrypt certificate's signature" ),
 				.body = N_( "The certificate signature could not be decrypted. This means that the actual signature value could not be determined rather than it not matching the expected value, this is only meaningful for RSA keys." )
@@ -88,7 +92,7 @@ const LIB3270_SSL_MESSAGE * lib3270_openssl_message_from_id(long id) {
 		{
 			.id = X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE,
 			.message = {
-				.type = LIB3270_NOTIFY_ERROR,
+				.type = LIB3270_NOTIFY_SECURE,
 				.icon = "dialog-error",
 				.summary = N_( "Unable to decrypt CRL's signature" ),
 				.body = N_( "The CRL signature could not be decrypted: this means that the actual signature value could not be determined rather than it not matching the expected value. Unused." )
@@ -98,7 +102,7 @@ const LIB3270_SSL_MESSAGE * lib3270_openssl_message_from_id(long id) {
 		{
 			.id = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY,
 			.message = {
-				.type = LIB3270_NOTIFY_ERROR,
+				.type = LIB3270_NOTIFY_SECURE,
 				.icon = "dialog-error",
 				.summary = N_( "Unable to decode issuer public key" ),
 				.body = N_( "The public key in the certificate SubjectPublicKeyInfo could not be read." )
@@ -108,7 +112,7 @@ const LIB3270_SSL_MESSAGE * lib3270_openssl_message_from_id(long id) {
 		{
 			.id = X509_V_ERR_CERT_SIGNATURE_FAILURE,
 			.message = {
-				.type = LIB3270_NOTIFY_ERROR,
+				.type = LIB3270_NOTIFY_SECURE,
 				.icon = "dialog-error",
 				.summary = N_( "Certificate signature failure" ),
 				.body = N_( "The signature of the certificate is invalid." )
@@ -118,7 +122,7 @@ const LIB3270_SSL_MESSAGE * lib3270_openssl_message_from_id(long id) {
 		{
 			.id = X509_V_ERR_CRL_SIGNATURE_FAILURE,
 			.message = {
-				.type = LIB3270_NOTIFY_ERROR,
+				.type = LIB3270_NOTIFY_SECURE,
 				.icon = "dialog-error",
 				.summary = N_( "CRL signature failure" ),
 				.body = N_( "The signature of the certificate is invalid." )
@@ -129,7 +133,7 @@ const LIB3270_SSL_MESSAGE * lib3270_openssl_message_from_id(long id) {
 			.id = X509_V_ERR_CERT_NOT_YET_VALID,
 			.message = {
 				.type = LIB3270_NOTIFY_WARNING,
-				.icon = "dialog-warning",
+				.icon = "security-medium",
 				.summary = N_( "Certificate is not yet valid" ),
 				.body = N_( "The certificate is not yet valid: the notBefore date is after the current time." )
 			}
@@ -138,8 +142,8 @@ const LIB3270_SSL_MESSAGE * lib3270_openssl_message_from_id(long id) {
 		{
 			.id = X509_V_ERR_CERT_HAS_EXPIRED,
 			.message = {
-				.type = LIB3270_NOTIFY_ERROR,
-				.icon = "dialog-error",
+				.type = LIB3270_NOTIFY_SECURE,
+				.icon = "security-medium",
 				.summary = N_( "Certificate has expired" ),
 				.body = N_( "The certificate has expired: that is the notAfter date is before the current time." )
 			}
@@ -149,7 +153,7 @@ const LIB3270_SSL_MESSAGE * lib3270_openssl_message_from_id(long id) {
 			.id = X509_V_ERR_CRL_NOT_YET_VALID,
 			.message = {
 				.type = LIB3270_NOTIFY_WARNING,
-				.icon = "dialog-error",
+				.icon = "security-medium",
 				.summary = N_( "The CRL is not yet valid." ),
 				.body = N_( "The Certificate revocation list (CRL) is not yet valid." )
 			}
@@ -159,9 +163,9 @@ const LIB3270_SSL_MESSAGE * lib3270_openssl_message_from_id(long id) {
 			.id = X509_V_ERR_CRL_HAS_EXPIRED,
 			.message = {
 	#ifdef SSL_ENABLE_CRL_EXPIRATION_CHECK
-				.type = LIB3270_NOTIFY_ERROR,
+				.type = LIB3270_NOTIFY_SECURE,
 	#else
-				.type = LIB3270_NOTIFY_WARNING,
+				.type = LIB3270_NOTIFY_INFO,
 	#endif // SSL_ENABLE_CRL_EXPIRATION_CHECK
 				.icon = "security-medium",
 				.summary = N_( "The CRL has expired." ),
@@ -172,7 +176,7 @@ const LIB3270_SSL_MESSAGE * lib3270_openssl_message_from_id(long id) {
 		{
 			.id = X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD,
 			.message = {
-				.type = LIB3270_NOTIFY_ERROR,
+				.type = LIB3270_NOTIFY_SECURE,
 				.icon = "dialog-error",
 				.summary = N_( "Format error in certificate's notBefore field" ),
 				.body = N_( "The certificate notBefore field contains an invalid time." )
@@ -182,7 +186,7 @@ const LIB3270_SSL_MESSAGE * lib3270_openssl_message_from_id(long id) {
 		{
 			.id = X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD,
 			.message = {
-				.type = LIB3270_NOTIFY_ERROR,
+				.type = LIB3270_NOTIFY_SECURE,
 				.icon = "dialog-error",
 				.summary = N_( "Format error in certificate's notAfter field" ),
 				.body = N_( "The certificate notAfter field contains an invalid time." )
@@ -192,7 +196,7 @@ const LIB3270_SSL_MESSAGE * lib3270_openssl_message_from_id(long id) {
 		{
 			.id = X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD,
 			.message = {
-				.type = LIB3270_NOTIFY_ERROR,
+				.type = LIB3270_NOTIFY_SECURE,
 				.icon = "dialog-error",
 				.summary = N_( "Format error in CRL's lastUpdate field" ),
 				.body = N_( "The CRL lastUpdate field contains an invalid time." )
@@ -202,7 +206,7 @@ const LIB3270_SSL_MESSAGE * lib3270_openssl_message_from_id(long id) {
 		{
 			.id = X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD,
 			.message = {
-				.type = LIB3270_NOTIFY_ERROR,
+				.type = LIB3270_NOTIFY_SECURE,
 				.icon = "dialog-error",
 				.summary = N_( "Format error in CRL's nextUpdate field" ),
 				.body = N_( "The CRL nextUpdate field contains an invalid time." )
@@ -233,11 +237,13 @@ const LIB3270_SSL_MESSAGE * lib3270_openssl_message_from_id(long id) {
 			.id = X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN,
 			.message = {
 	#ifdef SSL_ENABLE_SELF_SIGNED_CERT_CHECK
-				.type = LIB3270_NOTIFY_ERROR,
+				.type = LIB3270_NOTIFY_SECURE,
 	#else
-				.type = LIB3270_NOTIFY_WARNING,
+				.type = LIB3270_NOTIFY_INFO,
 	#endif // SSL_ENABLE_SELF_SIGNED_CERT_CHECK
-				.icon = "security-medium",
+				.name = "SelfSignedCertInChain",
+				.icon = "security-low",
+				.label = N_("Continue"),
 				.summary = N_( "Self signed certificate in certificate chain" ),
 				.body = N_( "The certificate chain could be built up using the untrusted certificates but the root could not be found locally." )
 			}
@@ -256,7 +262,7 @@ const LIB3270_SSL_MESSAGE * lib3270_openssl_message_from_id(long id) {
 		{
 			.id = X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE,
 			.message = {
-				.type = LIB3270_NOTIFY_ERROR,
+				.type = LIB3270_NOTIFY_SECURE,
 				.icon = "security-low",
 				.summary = N_( "Unable to verify the first certificate" ),
 				.body = N_( "No signatures could be verified because the chain contains only one certificate and it is not self signed." )
@@ -266,7 +272,7 @@ const LIB3270_SSL_MESSAGE * lib3270_openssl_message_from_id(long id) {
 		{
 			.id = X509_V_ERR_CERT_REVOKED,
 			.message = {
-				.type = LIB3270_NOTIFY_ERROR,
+				.type = LIB3270_NOTIFY_SECURE,
 				.icon = "security-low",
 				.summary = N_( "Certificate revoked" ),
 				.body = N_( "The certificate has been revoked." )
@@ -276,7 +282,7 @@ const LIB3270_SSL_MESSAGE * lib3270_openssl_message_from_id(long id) {
 		{
 			.id = X509_V_ERR_INVALID_CA,
 			.message = {
-				.type = LIB3270_NOTIFY_ERROR,
+				.type = LIB3270_NOTIFY_SECURE,
 				.icon = "security-low",
 				.summary = N_( "Invalid CA certificate" ),
 				.body = N_( "A CA certificate is invalid. Either it is not a CA or its extensions are not consistent with the supplied purpose." )
@@ -286,7 +292,7 @@ const LIB3270_SSL_MESSAGE * lib3270_openssl_message_from_id(long id) {
 		{
 			.id = X509_V_ERR_PATH_LENGTH_EXCEEDED,
 			.message = {
-				.type = LIB3270_NOTIFY_ERROR,
+				.type = LIB3270_NOTIFY_SECURE,
 				.icon = "dialog-error",
 				.summary = N_( "Path length constraint exceeded" ),
 				.body = N_( "The basicConstraints pathlength parameter has been exceeded." ),
@@ -296,7 +302,7 @@ const LIB3270_SSL_MESSAGE * lib3270_openssl_message_from_id(long id) {
 		{
 			.id = X509_V_ERR_INVALID_PURPOSE,
 			.message = {
-				.type = LIB3270_NOTIFY_ERROR,
+				.type = LIB3270_NOTIFY_SECURE,
 				.icon = "dialog-error",
 				.summary = N_( "Unsupported certificate purpose" ),
 				.body = N_( "The supplied certificate cannot be used for the specified purpose." )
@@ -316,7 +322,7 @@ const LIB3270_SSL_MESSAGE * lib3270_openssl_message_from_id(long id) {
 		{
 			.id = X509_V_ERR_CERT_REJECTED,
 			.message = {
-				.type = LIB3270_NOTIFY_ERROR,
+				.type = LIB3270_NOTIFY_SECURE,
 				.icon = "security-low",
 				.summary = N_( "Certificate rejected" ),
 				.body = N_( "The root CA is marked to reject the specified purpose." )
@@ -326,7 +332,7 @@ const LIB3270_SSL_MESSAGE * lib3270_openssl_message_from_id(long id) {
 		{
 			.id = X509_V_ERR_SUBJECT_ISSUER_MISMATCH,
 			.message = {
-				.type = LIB3270_NOTIFY_ERROR,
+				.type = LIB3270_NOTIFY_SECURE,
 				.icon = "security-low",
 				.summary = N_( "Subject issuer mismatch" ),
 				.body = N_( "The current candidate issuer certificate was rejected because its subject name did not match the issuer name of the current certificate. Only displayed when the -issuer_checks option is set." )
@@ -336,7 +342,7 @@ const LIB3270_SSL_MESSAGE * lib3270_openssl_message_from_id(long id) {
 		{
 			.id = X509_V_ERR_AKID_SKID_MISMATCH,
 			.message = {
-				.type = LIB3270_NOTIFY_ERROR,
+				.type = LIB3270_NOTIFY_SECURE,
 				.icon = "dialog-error",
 				.summary = N_( "Authority and subject key identifier mismatch" ),
 				.body = N_( "The current candidate issuer certificate was rejected because its subject key identifier was present and did not match the authority key identifier current certificate. Only displayed when the -issuer_checks option is set." )
@@ -346,7 +352,7 @@ const LIB3270_SSL_MESSAGE * lib3270_openssl_message_from_id(long id) {
 		{
 			.id = X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH,
 			.message = {
-				.type = LIB3270_NOTIFY_ERROR,
+				.type = LIB3270_NOTIFY_SECURE,
 				.icon = "dialog-error",
 				.summary = N_( "Authority and issuer serial number mismatch" ),
 				.body = N_( "The current candidate issuer certificate was rejected because its issuer name and serial number was present and did not match the authority key identifier of the current certificate. Only displayed when the -issuer_checks option is set." )
@@ -356,7 +362,7 @@ const LIB3270_SSL_MESSAGE * lib3270_openssl_message_from_id(long id) {
 		{
 			.id = X509_V_ERR_KEYUSAGE_NO_CERTSIGN,
 			.message = {
-				.type = LIB3270_NOTIFY_ERROR,
+				.type = LIB3270_NOTIFY_SECURE,
 				.icon = "dialog-error",
 				.summary = N_( "Key usage does not include certificate signing" ),
 				.body = N_( "The current candidate issuer certificate was rejected because its keyUsage extension does not permit certificate signing." )
@@ -31,12 +31,12 @@
 #include <internals.h>
 #include <errno.h>
 #include <lib3270.h>
-#include <lib3270/internals.h>
 #include <lib3270/popup.h>
 #include <lib3270/trace.h>
 #include <trace_dsc.h>
 #include <lib3270/log.h>
 #include <lib3270/trace.h>
+#include <networking.h>
 #ifdef HAVE_LIBSSL
 	#include <openssl/ssl.h>
@@ -114,18 +114,18 @@ LIB3270_EXPORT const char * lib3270_get_ssl_state_description(const H3270 *hSess
 LIB3270_EXPORT char * lib3270_get_ssl_crl_text(const H3270 *hSession) {
-#ifndef DEBUG
-	#error Implementar!
-#endif // DEBUG
+	if(hSession->network.module && hSession->network.module->getcrl)
+		return hSession->network.module->getcrl(hSession);
+	errno = ENOTSUP;
 	return NULL;
 }
 LIB3270_EXPORT char * lib3270_get_ssl_peer_certificate_text(const H3270 *hSession) {
-#ifndef DEBUG
-	#error Implementar!
-#endif // DEBUG
+	if(hSession->network.module && hSession->network.module->getcert)
+		return hSession->network.module->getcert(hSession);
+	errno = ENOTSUP;
 	return NULL;
 }
	@@ -192,6 +192,8 @@		@@ -192,6 +192,8 @@
192	lib3270_setup_session(hSession);	192	lib3270_setup_session(hSession);
193	lib3270_set_connected_initial(hSession);	193	lib3270_set_connected_initial(hSession);
194		194
		195	+ lib3270_notify_tls(hSession);
		196	+
195	}	197	}
196		198
197	int net_reconnect(H3270 *hSession, int seconds)	199	int net_reconnect(H3270 *hSession, int seconds)
	@@ -147,6 +147,16 @@		@@ -147,6 +147,16 @@
147	/// @brief Get socket options.	147	/// @brief Get socket options.
148	int (getsockopt)(H3270 hSession, int level, int optname, void optval, socklen_t optlen);	148	int (getsockopt)(H3270 hSession, int level, int optname, void optval, socklen_t optlen);
149		149
		150	+ /// @brief Get Peer certificate.
		151	+ ///
		152	+ /// @return String with the peer certificate (release it with lib3270_free); NULL if not available.
		153	+ char * (getcert)(const H3270 hSession);
		154	+
		155	+ /// @brief Get CRL.
		156	+ ///
		157	+ /// @return String with the CRL certificate (release it with lib3270_free); NULL if not available.
		158	+ char * (getcrl)(const H3270 hSession);
		159	+
150	} LIB3270_NET_MODULE;	160	} LIB3270_NET_MODULE;
151		161
152	/**	162	/**
	@@ -203,6 +203,62 @@ static int openssl_network_getsockopt(H3270 *hSession, int level, int optname, v		@@ -203,6 +203,62 @@ static int openssl_network_getsockopt(H3270 *hSession, int level, int optname, v
203	return getsockopt(hSession->network.context->sock, level, optname, optval, optlen);	203	return getsockopt(hSession->network.context->sock, level, optname, optval, optlen);
204	}	204	}
205		205
		206	+static char * openssl_network_getcert(const H3270 *hSession) {
		207	+
		208	+ LIB3270_NET_CONTEXT * context = hSession->network.context;
		209	+
		210	+ if(context && context->con) {
		211	+ lib3270_autoptr(X509) peer = SSL_get_peer_certificate(context->con);
		212	+
		213	+ if(peer) {
		214	+
		215	+ lib3270_autoptr(BIO) out = BIO_new(BIO_s_mem());
		216	+ unsigned char * data;
		217	+ unsigned char * text;
		218	+ int n;
		219	+
		220	+ X509_print(out,peer);
		221	+
		222	+ n = BIO_get_mem_data(out, &data);
		223	+ text = (unsigned char *) lib3270_malloc(n+1);
		224	+ memcpy(text,data,n);
		225	+ text[n] ='\0';
		226	+
		227	+ return (char *) text;
		228	+ }
		229	+ }
		230	+
		231	+ errno = ENOTCONN;
		232	+ return NULL;
		233	+}
		234	+
		235	+static char * openssl_network_getcrl(const H3270 *hSession) {
		236	+
		237	+ LIB3270_NET_CONTEXT * context = hSession->network.context;
		238	+
		239	+ if(context->crl.cert) {
		240	+
		241	+ lib3270_autoptr(BIO) out = BIO_new(BIO_s_mem());
		242	+ unsigned char * data;
		243	+ unsigned char * text;
		244	+ int n;
		245	+
		246	+ X509_print(out,context->crl.cert);
		247	+
		248	+ n = BIO_get_mem_data(out, &data);
		249	+ text = (unsigned char *) lib3270_malloc(n+1);
		250	+ memcpy(text,data,n);
		251	+ text[n] ='\0';
		252	+
		253	+ return (char *) text;
		254	+
		255	+ }
		256	+
		257	+ errno = ENOENT;
		258	+ return NULL;
		259	+
		260	+}
		261	+
206	static int openssl_network_init(H3270 *hSession) {	262	static int openssl_network_init(H3270 *hSession) {
207		263
208	set_ssl_state(hSession,LIB3270_SSL_UNDEFINED);	264	set_ssl_state(hSession,LIB3270_SSL_UNDEFINED);
	@@ -283,7 +339,9 @@ void lib3270_set_libssl_network_module(H3270 *hSession) {		@@ -283,7 +339,9 @@ void lib3270_set_libssl_network_module(H3270 *hSession) {
283	.is_connected = openssl_network_is_connected,	339	.is_connected = openssl_network_is_connected,
284	.getsockname = openssl_network_getsockname,	340	.getsockname = openssl_network_getsockname,
285	.setsockopt = openssl_network_setsockopt,	341	.setsockopt = openssl_network_setsockopt,
286	- .getsockopt = openssl_network_getsockopt	342	+ .getsockopt = openssl_network_getsockopt,
		343	+ .getcert = openssl_network_getcert,
		344	+ .getcrl = openssl_network_getcrl
287	};	345	};
288		346
289	debug("%s",__FUNCTION__);	347	debug("%s",__FUNCTION__);