You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@activemq.apache.org by ta...@apache.org on 2010/05/14 00:19:24 UTC

svn commit: r944033 - /activemq/activemq-cpp/trunk/activemq-cpp/src/main/decaf/internal/net/ssl/openssl/OpenSSLSocket.cpp

Author: tabish
Date: Thu May 13 22:19:23 2010
New Revision: 944033

URL: http://svn.apache.org/viewvc?rev=944033&view=rev
Log:
https://issues.apache.org/activemq/browse/AMQCPP-140

For the client SSLSocket we set peer verification on and enabled a callback to use to collect debug info.

Modified:
    activemq/activemq-cpp/trunk/activemq-cpp/src/main/decaf/internal/net/ssl/openssl/OpenSSLSocket.cpp

Modified: activemq/activemq-cpp/trunk/activemq-cpp/src/main/decaf/internal/net/ssl/openssl/OpenSSLSocket.cpp
URL: http://svn.apache.org/viewvc/activemq/activemq-cpp/trunk/activemq-cpp/src/main/decaf/internal/net/ssl/openssl/OpenSSLSocket.cpp?rev=944033&r1=944032&r2=944033&view=diff
==============================================================================
--- activemq/activemq-cpp/trunk/activemq-cpp/src/main/decaf/internal/net/ssl/openssl/OpenSSLSocket.cpp (original)
+++ activemq/activemq-cpp/trunk/activemq-cpp/src/main/decaf/internal/net/ssl/openssl/OpenSSLSocket.cpp Thu May 13 22:19:23 2010
@@ -78,6 +78,18 @@ namespace openssl {
             } catch(...) {}
         }
 
+#ifdef HAVE_OPENSSL
+        static int verifyCallback( int verified, X509_STORE_CTX* store ) {
+
+            if( !verified ) {
+
+                // Trap debug info here about why the Certificate failed to validate.
+            }
+
+            return verified;
+        }
+#endif
+
     };
 
 }}}}}
@@ -144,8 +156,16 @@ void OpenSSLSocket::connect( const std::
             BIO_set_fd( bio, (int)fd->getValue(), BIO_NOCLOSE );
             SSL_set_bio( this->data->ssl, bio, bio );
 
+            // Since we are a client we want to enforce peer verification, we set a
+            // callback so we can collect data on why a verify failed for debugging.
+            SSL_set_verify( this->data->ssl, SSL_VERIFY_PEER, SocketData::verifyCallback );
+
             int result = SSL_connect( this->data->ssl );
 
+            // Checks the error status, when things go right we still perform a deeper
+            // check on the provided certificate to ensure that it matches the host name
+            // that we connected to, this prevents someone from using any certificate
+            // signed by a signing authority that we trust.
             switch( SSL_get_error( this->data->ssl, result ) ) {
                 case SSL_ERROR_NONE:
                     verifyServerCert( host );