Commit 5ba2ec0f authored by Nikos Mavrogiannopoulos's avatar Nikos Mavrogiannopoulos Committed by David Woodhouse

Added openconnect_set_system_trust()

This functions allows to disable the default system trust CAs.
Signed-off-by: default avatarNikos Mavrogiannopoulos <nmav@gnutls.org>
Signed-off-by: default avatarDavid Woodhouse <David.Woodhouse@intel.com>
parent 280edc04
......@@ -1877,13 +1877,15 @@ int openconnect_open_https(struct openconnect_info *vpninfo)
if (!vpninfo->https_cred) {
gnutls_certificate_allocate_credentials(&vpninfo->https_cred);
if (!vpninfo->no_system_trust) {
#ifdef HAVE_GNUTLS_CERTIFICATE_SET_X509_SYSTEM_TRUST
gnutls_certificate_set_x509_system_trust(vpninfo->https_cred);
gnutls_certificate_set_x509_system_trust(vpninfo->https_cred);
#else
gnutls_certificate_set_x509_trust_file(vpninfo->https_cred,
DEFAULT_SYSTEM_CAFILE,
GNUTLS_X509_FMT_PEM);
gnutls_certificate_set_x509_trust_file(vpninfo->https_cred,
DEFAULT_SYSTEM_CAFILE,
GNUTLS_X509_FMT_PEM);
#endif
}
gnutls_certificate_set_verify_function(vpninfo->https_cred,
verify_peer);
......
......@@ -314,6 +314,11 @@ int openconnect_set_cafile(struct openconnect_info *vpninfo, const char *cafile)
return 0;
}
void openconnect_set_system_trust(struct openconnect_info *vpninfo, unsigned val)
{
vpninfo->no_system_trust = !val;
}
int openconnect_set_server_cert_sha1(struct openconnect_info *vpninfo,
const char *servercert)
{
......
......@@ -240,6 +240,7 @@ struct openconnect_info {
const char *sslkey;
char *cert_password;
char *cafile;
unsigned no_system_trust;
char *servercert;
const char *xmlconfig;
char xmlsha1[(SHA1_SIZE * 2) + 1];
......
......@@ -351,6 +351,14 @@ int openconnect_set_stoken_mode(struct openconnect_info *, int, const char *);
void openconnect_set_xmlsha1(struct openconnect_info *, const char *, int size);
int openconnect_set_cafile(struct openconnect_info *, const char *);
/* call this function to disable the system trust from being used to
* verify the server certificate. @val is a boolean value.
*
* For backwards compatibility reasons this is enabled by default.
*/
void openconnect_set_system_trust(struct openconnect_info *vpninfo, unsigned val);
int openconnect_setup_csd(struct openconnect_info *, uid_t, int silent, const char *wrapper);
void openconnect_set_xmlpost(struct openconnect_info *, int enable);
......
......@@ -1373,8 +1373,9 @@ int openconnect_open_https(struct openconnect_info *vpninfo)
SSL_CTX_set_cert_verify_callback(vpninfo->https_ctx,
ssl_app_verify_callback, NULL);
#endif
SSL_CTX_set_default_verify_paths(vpninfo->https_ctx);
if (!vpninfo->no_system_trust)
SSL_CTX_set_default_verify_paths(vpninfo->https_ctx);
if (vpninfo->pfs)
SSL_CTX_set_cipher_list(vpninfo->https_ctx, "HIGH:!aNULL:!eNULL:-RSA");
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment