static Boolean verifyCertificate(SSLCertificateInfo &certInfo)
{
#ifdef DEBUG
PEGASUS_STD(cout) << certInfo.getSubjectName() << endl;
#endif
//ATTN-NB-03-05132002: Add code to handle server certificate verification.
return true;
}
static Boolean verifyCertificate(SSLCertificateInfo &certInfo)
{
#ifdef DEBUG
cout << certInfo.getSubjectName() << endl;
#endif
//
// If server certificate was found in trust store and validated, then
// return 'true' to accept the certificate, otherwise return 'false'.
//
if (certInfo.getResponseCode() == 1)
{
return true;
}
else
{
return false;
}
}
// This callback is used when using SSL for a "local" connection.
static Boolean verifyServerCertificate(SSLCertificateInfo &certInfo)
{
//
// If server certificate was found in CA trust store and validated, then
// return 'true' to accept the certificate, otherwise return 'false'.
//
if (certInfo.getResponseCode() == 1)
{
return true;
}
else
{
return false;
}
}
Sint32 SSLSocket::accept()
{
PEG_METHOD_ENTER(TRC_SSL, "SSLSocket::accept()");
SSL* sslConnection = static_cast<SSL*>(_SSLConnection);
Sint32 ssl_rc,ssl_rsn;
//ATTN: these methods get implicitly done with the SSL_accept call
//SSL_do_handshake(sslConnection);
//SSL_set_accept_state(sslConnection);
// Make sure the SSLContext object is not updated during this operation.
ReadLock rlock(*_sslContextObjectLock);
ssl_rc = SSL_accept(sslConnection);
if (ssl_rc < 0)
{
ssl_rsn = SSL_get_error(sslConnection, ssl_rc);
if ((ssl_rsn == SSL_ERROR_WANT_READ) ||
(ssl_rsn == SSL_ERROR_WANT_WRITE))
{
PEG_METHOD_EXIT();
return 0;
}
else
{
if (Tracer::isTraceOn())
{
unsigned long rc = ERR_get_error ();
char buff[256];
// added in OpenSSL 0.9.6:
ERR_error_string_n(rc, buff, sizeof(buff));
PEG_TRACE((TRC_DISCARDED_DATA, Tracer::LEVEL1,
"---> SSL: Not accepted %d %s client IP address : %s",
ssl_rsn, buff, (const char*)_ipAddress.getCString() ));
}
//
// If there was a verification error, create a audit log entry.
//
if (!(ssl_rsn == SSL_ERROR_SYSCALL ||
ssl_rsn == SSL_ERROR_ZERO_RETURN) &&
_SSLContext->isPeerVerificationEnabled())
{
Array<SSLCertificateInfo*> certs =
getPeerCertificateChain();
if (certs.size() > 0)
{
SSLCertificateInfo* clientCert = certs[0];
PEGASUS_ASSERT(clientCert != NULL);
char serialNumberString[32];
sprintf(serialNumberString, "%lu",
(unsigned long)clientCert->getSerialNumber());
PEG_AUDIT_LOG(logCertificateBasedAuthentication(
clientCert->getIssuerName(),
clientCert->getSubjectName(),
serialNumberString,
_ipAddress,
false));
}
}
PEG_METHOD_EXIT();
return -1;
}
}
else if (ssl_rc == 0)
{
PEG_TRACE((
TRC_SSL,
Tracer::LEVEL1,
"Shutdown SSL_accept(). Error Code: %d Error string: %s",
SSL_get_error(sslConnection, ssl_rc),
ERR_error_string(ssl_rc, NULL)));
PEG_METHOD_EXIT();
return -1;
}
PEG_TRACE_CSTRING(TRC_SSL, Tracer::LEVEL3, "---> SSL: Accepted");
//
// If peer certificate verification is enabled or request received on
// export connection, get the peer certificate and verify the trust
// store validation result.
//
if (_SSLContext->isPeerVerificationEnabled())
{
PEG_TRACE_CSTRING(TRC_SSL, Tracer::LEVEL4,
"Attempting to certify client");
//
// get client's certificate
//
Array<SSLCertificateInfo*> certs = getPeerCertificateChain();
if (certs.size() > 0)
{
SSLCertificateInfo* clientCert = certs[0];
PEGASUS_ASSERT(clientCert != NULL);
//
// get certificate verification result and create a audit log entry.
//
int verifyResult = SSL_get_verify_result(sslConnection);
PEG_TRACE((TRC_SSL, Tracer::LEVEL4,
"Verification Result: %d", verifyResult ));
_certificateVerified = (verifyResult == X509_V_OK);
char serialNumberString[32];
sprintf(serialNumberString, "%lu",
(unsigned long)clientCert->getSerialNumber());
PEG_AUDIT_LOG(logCertificateBasedAuthentication(
clientCert->getIssuerName(),
clientCert->getSubjectName(),
serialNumberString,
_ipAddress,
_certificateVerified));
}
else
{
PEG_TRACE_CSTRING(TRC_SSL, Tracer::LEVEL3,
"---> SSL: Client not certified, no certificate received");
}
}
else
{
PEG_TRACE_CSTRING(TRC_SSL, Tracer::LEVEL3,
"---> SSL: Client certificate verification disabled");
}
PEG_METHOD_EXIT();
return 1;
}
