Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Added openconnect_set_system_trust()
This functions allows to disable the default system trust CAs.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
  • Loading branch information
nmav authored and David Woodhouse committed Oct 28, 2014
1 parent 280edc0 commit 5ba2ec0
Show file tree
Hide file tree
Showing 5 changed files with 23 additions and 6 deletions.
10 changes: 6 additions & 4 deletions gnutls.c
Expand Up @@ -1877,13 +1877,15 @@ int openconnect_open_https(struct openconnect_info *vpninfo)

if (!vpninfo->https_cred) {
gnutls_certificate_allocate_credentials(&vpninfo->https_cred);
if (!vpninfo->no_system_trust) {
#ifdef HAVE_GNUTLS_CERTIFICATE_SET_X509_SYSTEM_TRUST
gnutls_certificate_set_x509_system_trust(vpninfo->https_cred);
gnutls_certificate_set_x509_system_trust(vpninfo->https_cred);
#else
gnutls_certificate_set_x509_trust_file(vpninfo->https_cred,
DEFAULT_SYSTEM_CAFILE,
GNUTLS_X509_FMT_PEM);
gnutls_certificate_set_x509_trust_file(vpninfo->https_cred,
DEFAULT_SYSTEM_CAFILE,
GNUTLS_X509_FMT_PEM);
#endif
}
gnutls_certificate_set_verify_function(vpninfo->https_cred,
verify_peer);

Expand Down
5 changes: 5 additions & 0 deletions library.c
Expand Up @@ -314,6 +314,11 @@ int openconnect_set_cafile(struct openconnect_info *vpninfo, const char *cafile)
return 0;
}

void openconnect_set_system_trust(struct openconnect_info *vpninfo, unsigned val)
{
vpninfo->no_system_trust = !val;
}

int openconnect_set_server_cert_sha1(struct openconnect_info *vpninfo,
const char *servercert)
{
Expand Down
1 change: 1 addition & 0 deletions openconnect-internal.h
Expand Up @@ -240,6 +240,7 @@ struct openconnect_info {
const char *sslkey;
char *cert_password;
char *cafile;
unsigned no_system_trust;
char *servercert;
const char *xmlconfig;
char xmlsha1[(SHA1_SIZE * 2) + 1];
Expand Down
8 changes: 8 additions & 0 deletions openconnect.h
Expand Up @@ -351,6 +351,14 @@ int openconnect_set_stoken_mode(struct openconnect_info *, int, const char *);
void openconnect_set_xmlsha1(struct openconnect_info *, const char *, int size);

int openconnect_set_cafile(struct openconnect_info *, const char *);

/* call this function to disable the system trust from being used to
* verify the server certificate. @val is a boolean value.
*
* For backwards compatibility reasons this is enabled by default.
*/
void openconnect_set_system_trust(struct openconnect_info *vpninfo, unsigned val);

int openconnect_setup_csd(struct openconnect_info *, uid_t, int silent, const char *wrapper);
void openconnect_set_xmlpost(struct openconnect_info *, int enable);

Expand Down
5 changes: 3 additions & 2 deletions openssl.c
Expand Up @@ -1373,8 +1373,9 @@ int openconnect_open_https(struct openconnect_info *vpninfo)
SSL_CTX_set_cert_verify_callback(vpninfo->https_ctx,
ssl_app_verify_callback, NULL);
#endif
SSL_CTX_set_default_verify_paths(vpninfo->https_ctx);

if (!vpninfo->no_system_trust)
SSL_CTX_set_default_verify_paths(vpninfo->https_ctx);

if (vpninfo->pfs)
SSL_CTX_set_cipher_list(vpninfo->https_ctx, "HIGH:!aNULL:!eNULL:-RSA");

Expand Down

0 comments on commit 5ba2ec0

Please sign in to comment.