You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@guacamole.apache.org by vn...@apache.org on 2018/09/27 08:36:50 UTC
[4/6] guacamole-server git commit: GUACAMOLE-623: Explicitly bypass
certificate checks if requested.
GUACAMOLE-623: Explicitly bypass certificate checks if requested.
For older versions of libwebsockets, simply requesting that OpenSSL
ignore the verification result is insufficient, as libwebsockets
manually checks and confirms the verification result, producing an error
in all but specific cases.
Project: http://git-wip-us.apache.org/repos/asf/guacamole-server/repo
Commit: http://git-wip-us.apache.org/repos/asf/guacamole-server/commit/44d3433e
Tree: http://git-wip-us.apache.org/repos/asf/guacamole-server/tree/44d3433e
Diff: http://git-wip-us.apache.org/repos/asf/guacamole-server/diff/44d3433e
Branch: refs/heads/master
Commit: 44d3433ea92de6de7d127f93335c0a5be47c735c
Parents: 7ee6248
Author: Michael Jumper <mj...@apache.org>
Authored: Wed Sep 26 22:01:43 2018 -0700
Committer: Michael Jumper <mj...@apache.org>
Committed: Wed Sep 26 22:01:46 2018 -0700
----------------------------------------------------------------------
src/protocols/kubernetes/ssl.c | 28 ++++++++++++++++++++++++++--
1 file changed, 26 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/guacamole-server/blob/44d3433e/src/protocols/kubernetes/ssl.c
----------------------------------------------------------------------
diff --git a/src/protocols/kubernetes/ssl.c b/src/protocols/kubernetes/ssl.c
index 6ebafc6..520ce8c 100644
--- a/src/protocols/kubernetes/ssl.c
+++ b/src/protocols/kubernetes/ssl.c
@@ -110,6 +110,27 @@ static EVP_PKEY* guac_kubernetes_read_key(char* pem) {
}
+/**
+ * OpenSSL certificate verification callback which universally accepts all
+ * certificates without performing any verification at all.
+ *
+ * @param x509_ctx
+ * The current context of the certificate verification process. This
+ * parameter is ignored by this particular implementation of the callback.
+ *
+ * @param arg
+ * The arbitrary value passed to SSL_CTX_set_cert_verify_callback(). This
+ * parameter is ignored by this particular implementation of the callback.
+ *
+ * @return
+ * Strictly 0 if certificate verification fails, 1 if the certificate is
+ * verified. No other values are legal return values for this callback as
+ * documented by OpenSSL.
+ */
+static int guac_kubernetes_assume_cert_ok(X509_STORE_CTX* x509_ctx, void* arg) {
+ return 1;
+}
+
void guac_kubernetes_init_ssl(guac_client* client, SSL_CTX* context) {
guac_kubernetes_client* kubernetes_client =
@@ -118,8 +139,11 @@ void guac_kubernetes_init_ssl(guac_client* client, SSL_CTX* context) {
guac_kubernetes_settings* settings = kubernetes_client->settings;
/* Bypass certificate checks if requested */
- if (settings->ignore_cert)
- SSL_CTX_set_verify(context, SSL_VERIFY_NONE, NULL);
+ if (settings->ignore_cert) {
+ SSL_CTX_set_verify(context, SSL_VERIFY_PEER, NULL);
+ SSL_CTX_set_cert_verify_callback(context,
+ guac_kubernetes_assume_cert_ok, NULL);
+ }
/* Otherwise use the given CA certificate to validate (if any) */
else if (settings->ca_cert != NULL) {