bool bnet_tls_server(TLS_CONTEXT *ctx, BSOCK * bsock, alist *verify_list) { TLS_CONNECTION *tls; JCR *jcr = bsock->jcr(); tls = new_tls_connection(ctx, bsock->m_fd); if (!tls) { Qmsg0(bsock->jcr(), M_FATAL, 0, _("TLS connection initialization failed.\n")); return false; } bsock->tls = tls; /* Initiate TLS Negotiation */ if (!tls_bsock_accept(bsock)) { Qmsg0(bsock->jcr(), M_FATAL, 0, _("TLS Negotiation failed.\n")); goto err; } if (verify_list) { if (!tls_postconnect_verify_cn(jcr, tls, verify_list)) { Qmsg1(bsock->jcr(), M_FATAL, 0, _("TLS certificate verification failed." " Peer certificate did not match a required commonName\n"), bsock->host()); goto err; } } Dmsg0(50, "TLS server negotiation established.\n"); return true; err: free_tls_connection(tls); bsock->tls = NULL; return false; }
/* * Establish a TLS connection -- client side * Returns: true on success * false on failure */ bool bnet_tls_client(TLS_CONTEXT *ctx, BSOCK *bsock, alist *verify_list) { TLS_CONNECTION *tls; JCR *jcr = bsock->jcr(); tls = new_tls_connection(ctx, bsock->m_fd); if (!tls) { Qmsg0(bsock->jcr(), M_FATAL, 0, _("TLS connection initialization failed.\n")); return false; } bsock->tls = tls; /* Initiate TLS Negotiation */ if (!tls_bsock_connect(bsock)) { goto err; } /* If there's an Allowed CN verify list, use that to validate the remote * certificate's CN. Otherwise, we use standard host/CN matching. */ if (verify_list) { if (!tls_postconnect_verify_cn(jcr, tls, verify_list)) { Qmsg1(bsock->jcr(), M_FATAL, 0, _("TLS certificate verification failed." " Peer certificate did not match a required commonName\n"), bsock->host()); goto err; } } else if (!tls_postconnect_verify_host(jcr, tls, bsock->host())) { /* If host is 127.0.0.1, try localhost */ if (strcmp(bsock->host(), "127.0.0.1") != 0 || !tls_postconnect_verify_host(jcr, tls, "localhost")) { Qmsg1(bsock->jcr(), M_FATAL, 0, _("TLS host certificate verification failed. Host name \"%s\" did not match presented certificate\n"), bsock->host()); goto err; } } Dmsg0(50, "TLS client negotiation established.\n"); return true; err: free_tls_connection(tls); bsock->tls = NULL; return false; }
void BSOCK::free_tls() { free_tls_connection(this->tls); this->tls = NULL; }