diff options
| author | Alexander Barton <alex@barton.de> | 2024-01-02 20:55:15 +0100 |
|---|---|---|
| committer | Alexander Barton <alex@barton.de> | 2024-03-23 20:19:01 +0100 |
| commit | 08647ab1e7cf0d034f2d8987a3cac3201af84e02 (patch) | |
| tree | 9e9eb0550576b6dfe0276d8d21192c3ff09446aa /src | |
| parent | 84b019b11f761b71c8239d60e7f8db0b82a55df3 (diff) | |
| download | ngircd-08647ab1e7cf0d034f2d8987a3cac3201af84e02.tar.gz ngircd-08647ab1e7cf0d034f2d8987a3cac3201af84e02.zip | |
S2S-TLS/OpenSSL: Set the verification flags only once
Set the verification flags in the ConnSSL_SetVerifyProperties_openssl function only, don't override them in ConnSSL_InitLibrary() afterwards. No functional changes, now ConnSSL_SetVerifyProperties_openssl() sets exactly the parameters which ConnSSL_InitLibrary() always overwrote ...
Diffstat (limited to 'src')
| -rw-r--r-- | src/ngircd/conn-ssl.c | 6 |
1 files changed, 2 insertions, 4 deletions
diff --git a/src/ngircd/conn-ssl.c b/src/ngircd/conn-ssl.c index ce4e27c1..a51f46b2 100644 --- a/src/ngircd/conn-ssl.c +++ b/src/ngircd/conn-ssl.c @@ -401,8 +401,6 @@ ConnSSL_InitLibrary( void ) SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_COMPRESSION); SSL_CTX_set_mode(newctx, SSL_MODE_ENABLE_PARTIAL_WRITE); - SSL_CTX_set_verify(newctx, SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE, - Verify_openssl); SSL_CTX_free(ssl_ctx); ssl_ctx = newctx; Log(LOG_INFO, "%s initialized.", OpenSSL_version(OPENSSL_VERSION)); @@ -615,7 +613,6 @@ ConnSSL_SetVerifyProperties_openssl(SSL_CTX * ctx) { X509_STORE *store = NULL; X509_LOOKUP *lookup; - int verify_flags = SSL_VERIFY_PEER; bool ret = false; if (!Conf_SSLOptions.CAFile) @@ -649,7 +646,8 @@ ConnSSL_SetVerifyProperties_openssl(SSL_CTX * ctx) } } - SSL_CTX_set_verify(ctx, verify_flags, Verify_openssl); + SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE, + Verify_openssl); SSL_CTX_set_verify_depth(ctx, MAX_CERT_CHAIN_LENGTH); ret = true; out: |