summaryrefslogtreecommitdiff
path: root/src/s_serv.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/s_serv.c')
-rw-r--r--src/s_serv.c35
1 files changed, 29 insertions, 6 deletions
diff --git a/src/s_serv.c b/src/s_serv.c
index 3b622a6..7c6fa2e 100644
--- a/src/s_serv.c
+++ b/src/s_serv.c
@@ -1305,14 +1305,12 @@ finish_ssl_server_handshake(struct Client *client_p)
static void
ssl_server_handshake(fde_t *fd, struct Client *client_p)
{
- int ret;
- int err;
+ X509 *cert = NULL;
+ int ret = 0;
- ret = SSL_connect(client_p->localClient->fd.ssl);
-
- if (ret <= 0)
+ if ((ret = SSL_connect(client_p->localClient->fd.ssl)) <= 0)
{
- switch ((err = SSL_get_error(client_p->localClient->fd.ssl, ret)))
+ switch (SSL_get_error(client_p->localClient->fd.ssl, ret))
{
case SSL_ERROR_WANT_WRITE:
comm_setselect(&client_p->localClient->fd, COMM_SELECT_WRITE,
@@ -1334,6 +1332,31 @@ ssl_server_handshake(fde_t *fd, struct Client *client_p)
}
}
+ if ((cert = SSL_get_peer_certificate(client_p->localClient->fd.ssl)))
+ {
+ int res = SSL_get_verify_result(client_p->localClient->fd.ssl);
+ char buf[EVP_MAX_MD_SIZE * 2 + 1] = { '\0' };
+ unsigned char md[EVP_MAX_MD_SIZE] = { '\0' };
+
+ if (res == X509_V_OK || res == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN ||
+ res == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE ||
+ res == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)
+ {
+ unsigned int i = 0, n = 0;
+
+ if (X509_digest(cert, EVP_sha256(), md, &n))
+ {
+ for (; i < n; ++i)
+ snprintf(buf + 2 * i, 3, "%02X", md[i]);
+ client_p->certfp = xstrdup(buf);
+ }
+ }
+ else
+ ilog(LOG_TYPE_IRCD, "Server %s!%s@%s gave bad SSL client certificate: %d",
+ client_p->name, client_p->username, client_p->host, res);
+ X509_free(cert);
+ }
+
finish_ssl_server_handshake(client_p);
}