log.c: Use one printf() instead of two in log_message().

[tlsproxy/tlsproxy.git] / src / verify.c

diff --git a/src/verify.c b/src/verify.c
index f546fd42e2cb9d2982cea39a0c0a6fd8b112b6a0..6ea5f1b23d07f45be840f813035410129765d466 100644 (file)
--- a/src/verify.c
+++ b/src/verify.c
@@ -1,7 +1,7 @@
 /*
  * Verify established TLS connections.
  *
- * Copyright (C) 2011  Simon Ruderich
+ * Copyright (C) 2011-2013  Simon Ruderich
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -32,7 +32,7 @@ static int get_certificate_path(const char *format,
 
 int verify_tls_connection(gnutls_session_t session, const char *hostname) {
     int result;
-    char path[1024];
+    char path[TLSPROXY_MAX_PATH_LENGTH];
 
     size_t size;
     unsigned int status;
@@ -156,6 +156,21 @@ int verify_tls_connection(gnutls_session_t session, const char *hostname) {
         return -2;
     }
 
+    /* Check that the proxy certificate file exists and is readable for this
+     * domain. This ensures we send an "invalid" certificate even if the proxy
+     * certificate doesn't exist. */
+    if (0 != proxy_certificate_path(hostname, path, sizeof(path))) {
+        return -1;
+    }
+    file = fopen(path, "r");
+    if (NULL == file) {
+        LOG(LOG_WARNING,
+            "verify_tls_connection(): proxy certificate doesn't exist: '%s'",
+            path);
+        return -1;
+    }
+    fclose(file);
+
     return 0;
 }