You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-dev@axis.apache.org by du...@apache.org on 2007/09/20 02:39:32 UTC
svn commit: r577485 -
/webservices/axis2/trunk/c/src/core/transport/http/sender/ssl/ssl_utils.c
Author: dumindu
Date: Wed Sep 19 17:39:31 2007
New Revision: 577485
URL: http://svn.apache.org/viewvc?rev=577485&view=rev
Log:
Fixed JIRA AXIS2C-698. SSL transport now verifies the certificate chain.
Added code for logging on ssl_client.
Modified:
webservices/axis2/trunk/c/src/core/transport/http/sender/ssl/ssl_utils.c
Modified: webservices/axis2/trunk/c/src/core/transport/http/sender/ssl/ssl_utils.c
URL: http://svn.apache.org/viewvc/webservices/axis2/trunk/c/src/core/transport/http/sender/ssl/ssl_utils.c?rev=577485&r1=577484&r2=577485&view=diff
==============================================================================
--- webservices/axis2/trunk/c/src/core/transport/http/sender/ssl/ssl_utils.c (original)
+++ webservices/axis2/trunk/c/src/core/transport/http/sender/ssl/ssl_utils.c Wed Sep 19 17:39:31 2007
@@ -21,8 +21,7 @@
char *buf,
int size,
int rwflag,
- void *passwd
- )
+ void *passwd)
{
strncpy(buf, (char *)passwd, size);
buf[size-1] = '\0';
@@ -34,8 +33,7 @@
const axutil_env_t *env,
axis2_char_t *server_cert,
axis2_char_t *key_file,
- axis2_char_t *ssl_pp
-)
+ axis2_char_t *ssl_pp)
{
SSL_METHOD *meth = NULL;
SSL_CTX *ctx = NULL;
@@ -43,8 +41,9 @@
AXIS2_ENV_CHECK(env, NULL);
- if (! ca_file)
+ if (!ca_file)
{
+ AXIS2_LOG_INFO(env->log, "[ssl client] CA certificate not specified");
AXIS2_ERROR_SET(env->error, AXIS2_ERROR_SSL_NO_CA_FILE,
AXIS2_FAILURE);
return NULL;
@@ -69,34 +68,47 @@
*/
if (key_file) /*can we check if the server needs client auth?*/
{
+ if (!ssl_pp)
+ AXIS2_LOG_INFO(env->log, "[ssl client] No passphrase for the "
+ "specified");
+
SSL_CTX_set_default_passwd_cb_userdata(ctx, (void *)ssl_pp);
SSL_CTX_set_default_passwd_cb(ctx, password_cb);
if(!(SSL_CTX_use_certificate_chain_file(ctx, key_file)))
{
- AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI, "[ssl client] loading client certificate failed ");
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
+ "[ssl client] Loading client certificate failed ");
SSL_CTX_free(ctx);
return NULL;
}
if(!(SSL_CTX_use_PrivateKey_file(ctx, key_file, SSL_FILETYPE_PEM)))
{
- AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI, "[ssl client] Loading client key failed");
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, "[ssl client] Loading client key failed");
SSL_CTX_free(ctx);
return NULL;
}
}
+ else
+ {
+ AXIS2_LOG_INFO(env->log, "[ssl client] Client certificate chain file "
+ "not specified");
+ }
/* Load the CAs we trust*/
if (!(SSL_CTX_load_verify_locations(ctx, ca_file, 0)))
{
- AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI, "[ ssl client ] Loading CA certificate failed ");
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI,
+ "[ssl client] Loading CA certificate failed");
SSL_CTX_free(ctx);
return NULL;
}
+ /* verify depth should be read from axis2.xml, let's use the default for
+ * the moment*/
#if (OPENSSL_VERSION_NUMBER < 0x00905100L)
- SSL_CTX_set_verify_depth(ctx, 1);
+ /*SSL_CTX_set_verify_depth(ctx, 1);*/
#endif
return ctx;
@@ -106,8 +118,7 @@
axis2_ssl_utils_initialize_ssl(
const axutil_env_t *env,
SSL_CTX *ctx,
- axis2_socket_t socket
- )
+ axis2_socket_t socket)
{
SSL *ssl = NULL;
BIO *sbio = NULL;
@@ -116,12 +127,12 @@
AXIS2_PARAM_CHECK(env->error, ctx, NULL);
ssl = SSL_new(ctx);
- if (! ssl)
+ if (!ssl)
{
return NULL;
}
sbio = BIO_new_socket(socket, BIO_NOCLOSE);
- if (! sbio)
+ if (!sbio)
{
return NULL;
}
@@ -132,6 +143,19 @@
AXIS2_FAILURE);
return NULL;
}
+
+ if (SSL_get_verify_result(ssl) != X509_V_OK)
+ {
+ char sslerror[120];
+ char outmsg[170];
+ ERR_error_string(SSL_get_verify_result(ssl), sslerror);
+ snprintf(outmsg, 170,
+ "[ssl client] SSL certificate verification failed (%s)",
+ sslerror);
+ AXIS2_LOG_ERROR(env->log, AXIS2_LOG_SI, outmsg);
+ return NULL;
+ }
+
return ssl;
}
@@ -139,8 +163,7 @@
axis2_ssl_utils_cleanup_ssl(
const axutil_env_t *env,
SSL_CTX *ctx,
- SSL *ssl
- )
+ SSL *ssl)
{
AXIS2_ENV_CHECK(env, AXIS2_FAILURE);
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-cvs-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-cvs-help@ws.apache.org