static Boolean verifyCertificate(SSLCertificateInfo &certInfo) { #ifdef DEBUG PEGASUS_STD(cout) << certInfo.getSubjectName() << endl; #endif //ATTN-NB-03-05132002: Add code to handle server certificate verification. return true; }
static Boolean verifyCertificate(SSLCertificateInfo &certInfo) { #ifdef DEBUG cout << certInfo.getSubjectName() << endl; #endif // // If server certificate was found in trust store and validated, then // return 'true' to accept the certificate, otherwise return 'false'. // if (certInfo.getResponseCode() == 1) { return true; } else { return false; } }
// This callback is used when using SSL for a "local" connection. static Boolean verifyServerCertificate(SSLCertificateInfo &certInfo) { // // If server certificate was found in CA trust store and validated, then // return 'true' to accept the certificate, otherwise return 'false'. // if (certInfo.getResponseCode() == 1) { return true; } else { return false; } }
Sint32 SSLSocket::accept() { PEG_METHOD_ENTER(TRC_SSL, "SSLSocket::accept()"); SSL* sslConnection = static_cast<SSL*>(_SSLConnection); Sint32 ssl_rc,ssl_rsn; //ATTN: these methods get implicitly done with the SSL_accept call //SSL_do_handshake(sslConnection); //SSL_set_accept_state(sslConnection); // Make sure the SSLContext object is not updated during this operation. ReadLock rlock(*_sslContextObjectLock); ssl_rc = SSL_accept(sslConnection); if (ssl_rc < 0) { ssl_rsn = SSL_get_error(sslConnection, ssl_rc); if ((ssl_rsn == SSL_ERROR_WANT_READ) || (ssl_rsn == SSL_ERROR_WANT_WRITE)) { PEG_METHOD_EXIT(); return 0; } else { if (Tracer::isTraceOn()) { unsigned long rc = ERR_get_error (); char buff[256]; // added in OpenSSL 0.9.6: ERR_error_string_n(rc, buff, sizeof(buff)); PEG_TRACE((TRC_DISCARDED_DATA, Tracer::LEVEL1, "---> SSL: Not accepted %d %s client IP address : %s", ssl_rsn, buff, (const char*)_ipAddress.getCString() )); } // // If there was a verification error, create a audit log entry. // if (!(ssl_rsn == SSL_ERROR_SYSCALL || ssl_rsn == SSL_ERROR_ZERO_RETURN) && _SSLContext->isPeerVerificationEnabled()) { Array<SSLCertificateInfo*> certs = getPeerCertificateChain(); if (certs.size() > 0) { SSLCertificateInfo* clientCert = certs[0]; PEGASUS_ASSERT(clientCert != NULL); char serialNumberString[32]; sprintf(serialNumberString, "%lu", (unsigned long)clientCert->getSerialNumber()); PEG_AUDIT_LOG(logCertificateBasedAuthentication( clientCert->getIssuerName(), clientCert->getSubjectName(), serialNumberString, _ipAddress, false)); } } PEG_METHOD_EXIT(); return -1; } } else if (ssl_rc == 0) { PEG_TRACE(( TRC_SSL, Tracer::LEVEL1, "Shutdown SSL_accept(). Error Code: %d Error string: %s", SSL_get_error(sslConnection, ssl_rc), ERR_error_string(ssl_rc, NULL))); PEG_METHOD_EXIT(); return -1; } PEG_TRACE_CSTRING(TRC_SSL, Tracer::LEVEL3, "---> SSL: Accepted"); // // If peer certificate verification is enabled or request received on // export connection, get the peer certificate and verify the trust // store validation result. // if (_SSLContext->isPeerVerificationEnabled()) { PEG_TRACE_CSTRING(TRC_SSL, Tracer::LEVEL4, "Attempting to certify client"); // // get client's certificate // Array<SSLCertificateInfo*> certs = getPeerCertificateChain(); if (certs.size() > 0) { SSLCertificateInfo* clientCert = certs[0]; PEGASUS_ASSERT(clientCert != NULL); // // get certificate verification result and create a audit log entry. // int verifyResult = SSL_get_verify_result(sslConnection); PEG_TRACE((TRC_SSL, Tracer::LEVEL4, "Verification Result: %d", verifyResult )); _certificateVerified = (verifyResult == X509_V_OK); char serialNumberString[32]; sprintf(serialNumberString, "%lu", (unsigned long)clientCert->getSerialNumber()); PEG_AUDIT_LOG(logCertificateBasedAuthentication( clientCert->getIssuerName(), clientCert->getSubjectName(), serialNumberString, _ipAddress, _certificateVerified)); } else { PEG_TRACE_CSTRING(TRC_SSL, Tracer::LEVEL3, "---> SSL: Client not certified, no certificate received"); } } else { PEG_TRACE_CSTRING(TRC_SSL, Tracer::LEVEL3, "---> SSL: Client certificate verification disabled"); } PEG_METHOD_EXIT(); return 1; }