You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@activemq.apache.org by ta...@apache.org on 2010/05/14 00:19:24 UTC
svn commit: r944033 -
/activemq/activemq-cpp/trunk/activemq-cpp/src/main/decaf/internal/net/ssl/openssl/OpenSSLSocket.cpp
Author: tabish
Date: Thu May 13 22:19:23 2010
New Revision: 944033
URL: http://svn.apache.org/viewvc?rev=944033&view=rev
Log:
https://issues.apache.org/activemq/browse/AMQCPP-140
For the client SSLSocket we set peer verification on and enabled a callback to use to collect debug info.
Modified:
activemq/activemq-cpp/trunk/activemq-cpp/src/main/decaf/internal/net/ssl/openssl/OpenSSLSocket.cpp
Modified: activemq/activemq-cpp/trunk/activemq-cpp/src/main/decaf/internal/net/ssl/openssl/OpenSSLSocket.cpp
URL: http://svn.apache.org/viewvc/activemq/activemq-cpp/trunk/activemq-cpp/src/main/decaf/internal/net/ssl/openssl/OpenSSLSocket.cpp?rev=944033&r1=944032&r2=944033&view=diff
==============================================================================
--- activemq/activemq-cpp/trunk/activemq-cpp/src/main/decaf/internal/net/ssl/openssl/OpenSSLSocket.cpp (original)
+++ activemq/activemq-cpp/trunk/activemq-cpp/src/main/decaf/internal/net/ssl/openssl/OpenSSLSocket.cpp Thu May 13 22:19:23 2010
@@ -78,6 +78,18 @@ namespace openssl {
} catch(...) {}
}
+#ifdef HAVE_OPENSSL
+ static int verifyCallback( int verified, X509_STORE_CTX* store ) {
+
+ if( !verified ) {
+
+ // Trap debug info here about why the Certificate failed to validate.
+ }
+
+ return verified;
+ }
+#endif
+
};
}}}}}
@@ -144,8 +156,16 @@ void OpenSSLSocket::connect( const std::
BIO_set_fd( bio, (int)fd->getValue(), BIO_NOCLOSE );
SSL_set_bio( this->data->ssl, bio, bio );
+ // Since we are a client we want to enforce peer verification, we set a
+ // callback so we can collect data on why a verify failed for debugging.
+ SSL_set_verify( this->data->ssl, SSL_VERIFY_PEER, SocketData::verifyCallback );
+
int result = SSL_connect( this->data->ssl );
+ // Checks the error status, when things go right we still perform a deeper
+ // check on the provided certificate to ensure that it matches the host name
+ // that we connected to, this prevents someone from using any certificate
+ // signed by a signing authority that we trust.
switch( SSL_get_error( this->data->ssl, result ) ) {
case SSL_ERROR_NONE:
verifyServerCert( host );