From 45b7b420fa0405c21a6d2c31bfc64778bdbdf292 Mon Sep 17 00:00:00 2001 From: Matthias Andree Date: Thu, 6 Apr 2006 09:47:28 +0000 Subject: * SSL/TLS: if, for a certain server, an sslfingerprint is specified and sslcertck is NOT set, suppress printing SSL certificate mismatch errors. (Reported by Hannes Erven.) * SSL/TLS: always print if the sslfingerprint mismatches, even in silent mode. (This is for consistency with certificate verification errors.) svn path=/branches/BRANCH_6-3/; revision=4781 --- socket.c | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) (limited to 'socket.c') diff --git a/socket.c b/socket.c index 6375163a..9f031db6 100644 --- a/socket.c +++ b/socket.c @@ -706,10 +706,10 @@ static int SSL_verify_callback( int ok_return, X509_STORE_CTX *ctx, int strict ) } /* Print the finger print. Note that on errors, we might print it more than once * normally; we kluge around that by using a global variable. */ - if (_check_fp) { + if (_check_fp == 1) { unsigned dp; - _check_fp = 0; + _check_fp = -1; digest_tp = EVP_md5(); if (digest_tp == NULL) { report(stderr, GT_("EVP_md5() failed!\n")); @@ -736,16 +736,15 @@ static int SSL_verify_callback( int ok_return, X509_STORE_CTX *ctx, int strict ) if (outlevel > O_NORMAL) report(stdout, GT_("%s fingerprints match.\n"), _server_label); } else { - if (outlevel > O_SILENT) - report(stderr, GT_("%s fingerprints do not match!\n"), _server_label); + report(stderr, GT_("%s fingerprints do not match!\n"), _server_label); return (0); } - } - } - } + } /* if (_check_digest != NULL) */ + } /* if (_check_fp) */ + } /* if (depth == 0 && !_depth0ck) */ - if (err != X509_V_OK && err != _prev_err) { - _prev_err = err; + if (err != X509_V_OK && err != _prev_err && !(_check_fp != 0 && _check_digest && !strict)) { + _prev_err = err; report(stderr, GT_("Server certificate verification error: %s\n"), X509_verify_cert_error_string(err)); /* We gave the error code, but maybe we can add some more details for debugging */ switch (err) { -- cgit v1.2.3