$self->log(' Subject Name: ', Net::SSLeay::X509_NAME_oneline(Net::SSLeay::X509_get_subject_name($cert)));
}
- if ($depth == 0) {
+ $ok = 1 unless $self->{SSL_verify} // 1;
+ if ($depth == 0 and !exists $self->{_SSL_PEER_VERIFIED}) {
if ($self->{debug}) {
my $algo = 'sha256';
my $type = Net::SSLeay::EVP_get_digestbyname($algo)
$self->log('Peer certificate fingerprint: '
.$algo.'$'.unpack('H*', Net::SSLeay::X509_digest($cert, $type)));
}
+
+ if (defined (my $fpr = $self->{SSL_fingerprint})) {
+ (my $algo, $fpr) = $fpr =~ /^([^\$]+)\$(.*)/ ? ($1, $2) : ('sha256', $fpr);
+ my $digest = pack 'H*', ($fpr =~ tr/://rd);
+
+ my $type = Net::SSLeay::EVP_get_digestbyname($algo)
+ or $self->_ssl_error("Can't find MD value for name '$algo'");
+
+ if (Net::SSLeay::X509_digest($cert, $type) ne $digest and
+ Net::SSLeay::X509_pubkey_digest($cert, $type) ne $digest) {
+ $self->warn("Fingerprint doesn't match! MiTM in action?");
+ $ok = 0;
+ }
+ }
+ $self->{_SSL_PEER_VERIFIED} = $ok;
}
return $ok; # 1=accept cert, 0=reject
}
Net::SSLeay::CTX_load_verify_locations($ctx, $file, $path)
or $self->_ssl_error("Can't load verify locations");
}
- Net::SSLeay::CTX_set_verify($ctx, Net::SSLeay::VERIFY_PEER(), sub($$) {$self->_ssl_verify(@_)});
- Net::SSLeay::CTX_set_purpose($ctx, Net::SSLeay::X509_PURPOSE_SSL_SERVER())
- or $self->_ssl_error("Can't set purpose");
}
else {
- Net::SSLeay::CTX_set_verify($ctx, Net::SSLeay::VERIFY_NONE());
+ Net::SSLeay::CTX_set_verify_depth($ctx, 0);
}
+ Net::SSLeay::CTX_set_purpose($ctx, Net::SSLeay::X509_PURPOSE_SSL_SERVER())
+ or $self->_ssl_error("Can't set purpose");
+ Net::SSLeay::CTX_set_verify($ctx, Net::SSLeay::VERIFY_PEER(), sub($$) {$self->_ssl_verify(@_)});
my $ssl = Net::SSLeay::new($ctx) or $self->fail("Can't create new SSL structure");
Net::SSLeay::set_fd($ssl, fileno $socket) or $self->fail("SSL filehandle association failed");
$self->_ssl_error("Can't initiate TLS/SSL handshake") unless Net::SSLeay::connect($ssl) == 1;
+ $self->panic("Couldn't verify") unless $self->{_SSL_PEER_VERIFIED}; # sanity check
if ($self->{debug}) {
my $v = Net::SSLeay::version($ssl);
, Net::SSLeay::get_cipher_bits($ssl)));
}
- if (defined (my $fpr = $self->{SSL_fingerprint})) {
- # ensure we're talking to the right server
- (my $algo, $fpr) = $fpr =~ /^([^\$]+)\$(.*)/ ? ($1, $2) : ('sha256', $fpr);
- my $digest = pack 'H*', ($fpr =~ tr/://rd);
-
- my $type = Net::SSLeay::EVP_get_digestbyname($algo)
- or $self->_ssl_error("Can't find MD value for name '$algo'");
-
- my $cert = Net::SSLeay::get_peer_certificate($ssl)
- or $self->_ssl_error("Can't get peer certificate");
-
- $self->fail("Fingerprint doesn't match! MiTM in action?")
- if Net::SSLeay::X509_digest($cert, $type) ne $digest and
- Net::SSLeay::X509_pubkey_digest($cert, $type) ne $digest;
- }
-
@$self{qw/_SSL _SSL_CTX/} = ($ssl, $ctx);
}
projects / interimap.git / commitdiff