|
|
@@ -845,6 +845,9 @@ struct ssl_func {
|
|
|
#define SSL_shutdown (*(int (*)(SSL *))ssl_sw[20].ptr)
|
|
|
#define SSL_CTX_load_verify_locations \
|
|
|
(*(int (*)(SSL_CTX *, const char *, const char *))ssl_sw[21].ptr)
|
|
|
+#define SSL_CTX_set_default_verify_paths \
|
|
|
+(*(int (*)(SSL_CTX *))ssl_sw[22].ptr)
|
|
|
+#define SSL_CTX_set_verify_depth (*(void (*)(SSL_CTX *, int))ssl_sw[23].ptr)
|
|
|
|
|
|
#define CRYPTO_num_locks (*(int (*)(void))crypto_sw[0].ptr)
|
|
|
#define CRYPTO_set_locking_callback \
|
|
|
@@ -879,7 +882,9 @@ static struct ssl_func ssl_sw[] = {{"SSL_free", NULL},
|
|
|
{"SSL_pending", NULL},
|
|
|
{"SSL_CTX_set_verify", NULL},
|
|
|
{"SSL_shutdown", NULL},
|
|
|
- {"SSL_CTX_load_verify_locations", NULL},
|
|
|
+ {"SSL_CTX_load_verify_locations", NULL},
|
|
|
+ {"SSL_CTX_set_default_verify_paths", NULL},
|
|
|
+ {"SSL_CTX_set_verify_depth", NULL},
|
|
|
{NULL, NULL}};
|
|
|
|
|
|
/* Similar array as ssl_sw. These functions could be located in different
|
|
|
@@ -10021,6 +10026,9 @@ set_ssl_option(struct mg_context *ctx)
|
|
|
int callback_ret;
|
|
|
int should_verify_peer;
|
|
|
const char* ca_path;
|
|
|
+ const char* ca_file;
|
|
|
+ int use_default_verify_paths;
|
|
|
+ int verify_depth;
|
|
|
|
|
|
/* If PEM file is not specified and the init_ssl callback
|
|
|
* is not specified, skip SSL initialization. */
|
|
|
@@ -10088,14 +10096,31 @@ set_ssl_option(struct mg_context *ctx)
|
|
|
should_verify_peer = (ctx->config[SSL_VERIFY_PEER] != NULL)
|
|
|
&& (mg_strcasecmp(ctx->config[SSL_VERIFY_PEER], "yes") == 0);
|
|
|
|
|
|
+ use_default_verify_paths = (ctx->config[SSL_DEFAULT_VERIFY_PATHS] != NULL)
|
|
|
+ && (mg_strcasecmp(ctx->config[SSL_DEFAULT_VERIFY_PATHS], "yes") == 0);
|
|
|
+
|
|
|
if (should_verify_peer) {
|
|
|
ca_path = ctx->config[SSL_CA_PATH];
|
|
|
- if ((ca_path != NULL
|
|
|
- && SSL_CTX_load_verify_locations(ctx->ssl_ctx, NULL, ca_path)) == 0) {
|
|
|
- mg_cry(fc(ctx), "SSL_CTX_new (SSL_CTX_load_verify_locations) error: %s", ssl_error());
|
|
|
+ ca_file = ctx->config[SSL_CA_FILE];
|
|
|
+ if (SSL_CTX_load_verify_locations(ctx->ssl_ctx, ca_file, ca_path) != 1) {
|
|
|
+ mg_cry(fc(ctx), "SSL_CTX_load_verify_locations error: %s "
|
|
|
+ "ssl_verify_peer requires setting "
|
|
|
+ "either ssl_ca_path or ssl_ca_file. Is any of them present in "
|
|
|
+ "the .conf file?", ssl_error());
|
|
|
return 0;
|
|
|
}
|
|
|
SSL_CTX_set_verify(ctx->ssl_ctx, 3, 0);
|
|
|
+
|
|
|
+ if (use_default_verify_paths
|
|
|
+ && SSL_CTX_set_default_verify_paths(ctx->ssl_ctx) != 1) {
|
|
|
+ mg_cry(fc(ctx), "SSL_CTX_set_default_verify_paths error: %s", ssl_error());
|
|
|
+ return 0;
|
|
|
+ }
|
|
|
+
|
|
|
+ if (ctx->config[SSL_VERIFY_DEPTH]){
|
|
|
+ verify_depth = atoi(ctx->config[SSL_VERIFY_DEPTH]);
|
|
|
+ SSL_CTX_set_verify_depth(ctx->ssl_ctx, verify_depth);
|
|
|
+ }
|
|
|
}
|
|
|
|
|
|
return 1;
|
Mateusz Gralka