Mirrors/proxytunnel
1
0
Fork 0
mirror of https://github.com/proxytunnel/proxytunnel.git synced 2026-01-23 02:34:59 +00:00
Code Issues Projects Releases Wiki Activity

Add an option to provide a CA cert for server certificate verification

Browse source 
Enable this option with -C/--cacert
This commit is contained in:
Stephen Kent 2016-08-18 10:26:41 -07:00
parent 5a7692f28f
commit 655845108c
4 changed files with 41 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

20
ptstream.c
View file

@ -27,6 +27,7 @@
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include "proxytunnel.h"
@ -241,6 +242,9 @@ int stream_enable_ssl(PTSTREAM *pts, const char *proxy_arg) {
long ssl_options = 0;
X509* cert = NULL;
int status;
struct stat st_buf;
const char *ca_file = NULL;
const char *ca_dir = "/etc/ssl/certs/"; /* Default cert directory if none given */
long vresult;
char *peer_host = NULL;
@ -263,8 +267,20 @@ int stream_enable_ssl(PTSTREAM *pts, const char *proxy_arg) {
SSL_CTX_set_options (ctx, ssl_options);
if ( !args_info.no_check_cert_flag ) {
if (!SSL_CTX_load_verify_locations(ctx, NULL, ca_dir)) {
message("Error loading certificates from %s\n", ca_dir);
if ( args_info.cacert_given ) {
if ((status = stat(args_info.cacert_arg, &st_buf)) != 0) {
message("Error reading certificate path %s\n", args_info.cacert_arg);
goto fail;
}
if (S_ISDIR(st_buf.st_mode)) {
ca_dir = args_info.cacert_arg;
} else {
ca_dir = NULL;
ca_file = args_info.cacert_arg;
}
}
if (!SSL_CTX_load_verify_locations(ctx, ca_file, ca_dir)) {
message("Error loading certificate(s) from %s\n", args_info.cacert_arg);
goto fail;
}
}