int DoSSLClientNegotiation(STREAM *S, int Flags)
{
int result=FALSE;
#ifdef HAVE_LIBSSL
const SSL_METHOD *Method;
SSL_CTX *ctx;
SSL *ssl;
//struct x509 *cert=NULL;
char *ptr;
if (S)
{
INTERNAL_SSL_INIT();
// SSL_load_ciphers();
Method=SSLv23_client_method();
ctx=SSL_CTX_new(Method);
if (! ctx) HandleSSLError();
else
{
STREAM_INTERNAL_SSL_ADD_SECURE_KEYS(S,ctx);
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, OpenSSLVerifyCallback);
ssl=SSL_new(ctx);
SSL_set_fd(ssl,S->in_fd);
STREAMSetItem(S,"LIBUSEFUL-SSL-CTX",ssl);
SSL_set_options(ssl, SSL_OP_SINGLE_DH_USE | SSL_OP_NO_SSLv2); //SSL_OP_NO_SSLv2, SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1
ptr=LibUsefulGetValue("SSL-Permitted-Ciphers");
if (ptr) SSL_set_cipher_list(ssl, ptr);
result=SSL_connect(ssl);
S->Flags|=SF_SSL;
OpenSSLQueryCipher(S);
OpenSSLVerifyCertificate(S);
}
}
#endif
return(result);
}
int DoSSLClientNegotiation(STREAM *S, int Flags)
{
int result=FALSE, val;
#ifdef HAVE_LIBSSL
SSL_METHOD *Method;
SSL_CTX *ctx;
SSL *ssl;
//struct x509 *cert=NULL;
X509 *cert=NULL;
if (S)
{
INTERNAL_SSL_INIT();
// SSL_load_ciphers();
Method=SSLv23_client_method();
if (! Method) Method=SSLv2_client_method();
ctx=SSL_CTX_new(Method);
if (! ctx) HandleSSLError();
else
{
STREAM_INTERNAL_SSL_ADD_SECURE_KEYS(S,ctx);
ssl=SSL_new(ctx);
SSL_set_fd(ssl,S->in_fd);
STREAMSetItem(S,"LIBUSEFUL-SSL-CTX",ssl);
result=SSL_connect(ssl);
S->Flags|=SF_SSL;
val=SSL_get_verify_result(ssl);
switch(val)
{
case X509_V_OK:
STREAMSetValue(S,"SSL-Certificate-Verify","OK");
break;
case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
STREAMSetValue(S,"SSL-Certificate-Verify","unable to get issuer");
break;
case X509_V_ERR_UNABLE_TO_GET_CRL:
STREAMSetValue(S,"SSL-Certificate-Verify","unable to get certificate CRL");
break;
case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:
STREAMSetValue(S,"SSL-Certificate-Verify","unable to decrypt certificate's signature");
break;
case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE:
STREAMSetValue(S,"SSL-Certificate-Verify","unable to decrypt CRL's signature");
break;
case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY:
STREAMSetValue(S,"SSL-Certificate-Verify","unable to decode issuer public key");
break;
case X509_V_ERR_CERT_SIGNATURE_FAILURE:
STREAMSetValue(S,"SSL-Certificate-Verify","certificate signature invalid");
break;
case X509_V_ERR_CRL_SIGNATURE_FAILURE:
STREAMSetValue(S,"SSL-Certificate-Verify","CRL signature invalid");
break;
case X509_V_ERR_CERT_NOT_YET_VALID:
STREAMSetValue(S,"SSL-Certificate-Verify","certificate is not yet valid");
break;
case X509_V_ERR_CERT_HAS_EXPIRED:
STREAMSetValue(S,"SSL-Certificate-Verify","certificate has expired");
break;
case X509_V_ERR_CRL_NOT_YET_VALID:
STREAMSetValue(S,"SSL-Certificate-Verify","CRL is not yet valid the CRL is not yet valid.");
break;
case X509_V_ERR_CRL_HAS_EXPIRED:
STREAMSetValue(S,"SSL-Certificate-Verify","CRL has expired the CRL has expired.");
break;
case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
STREAMSetValue(S,"SSL-Certificate-Verify","invalid notBefore value");
break;
case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
STREAMSetValue(S,"SSL-Certificate-Verify","invalid notAfter value");
break;
case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD:
STREAMSetValue(S,"SSL-Certificate-Verify","invalid CRL lastUpdate value");
break;
case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD:
STREAMSetValue(S,"SSL-Certificate-Verify","invalid CRL nextUpdate value");
break;
case X509_V_ERR_OUT_OF_MEM:
STREAMSetValue(S,"SSL-Certificate-Verify","out of memory");
break;
case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
STREAMSetValue(S,"SSL-Certificate-Verify","self signed certificate");
break;
case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
STREAMSetValue(S,"SSL-Certificate-Verify","self signed certificate in certificate chain");
break;
case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
STREAMSetValue(S,"SSL-Certificate-Verify","cant find root certificate in local database");
break;
case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
STREAMSetValue(S,"SSL-Certificate-Verify","ERROR: unable to verify the first certificate");
break;
case X509_V_ERR_CERT_CHAIN_TOO_LONG:
STREAMSetValue(S,"SSL-Certificate-Verify","certificate chain too long");
break;
case X509_V_ERR_CERT_REVOKED:
STREAMSetValue(S,"SSL-Certificate-Verify","certificate revoked");
break;
case X509_V_ERR_INVALID_CA:
STREAMSetValue(S,"SSL-Certificate-Verify","invalid CA certificate");
break;
case X509_V_ERR_PATH_LENGTH_EXCEEDED:
STREAMSetValue(S,"SSL-Certificate-Verify","path length constraint exceeded");
break;
case X509_V_ERR_INVALID_PURPOSE:
STREAMSetValue(S,"SSL-Certificate-Verify","unsupported certificate purpose");
break;
case X509_V_ERR_CERT_UNTRUSTED:
STREAMSetValue(S,"SSL-Certificate-Verify","certificate not trusted");
break;
case X509_V_ERR_CERT_REJECTED:
STREAMSetValue(S,"SSL-Certificate-Verify","certificate rejected");
break;
case X509_V_ERR_SUBJECT_ISSUER_MISMATCH:
STREAMSetValue(S,"SSL-Certificate-Verify","subject issuer mismatch");
break;
case X509_V_ERR_AKID_SKID_MISMATCH:
STREAMSetValue(S,"SSL-Certificate-Verify","authority and subject key identifier mismatch");
break;
case X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH:
STREAMSetValue(S,"SSL-Certificate-Verify","authority and issuer serial number mismatch");
break;
case X509_V_ERR_KEYUSAGE_NO_CERTSIGN:
STREAMSetValue(S,"SSL-Certificate-Verify","key usage does not include certificate signing");
break;
case X509_V_ERR_APPLICATION_VERIFICATION:
STREAMSetValue(S,"SSL-Certificate-Verify","application verification failure");
break;
}
}
cert=SSL_get_peer_certificate(ssl);
if (cert)
{
STREAMSetValue(S,"SSL-Certificate-Issuer",X509_NAME_oneline( X509_get_issuer_name(cert),NULL, 0));
}
}
STREAMSetValue(S,"SSL-Cipher",STREAMQuerySSLCipher(S));
#endif
return(result);
}
