X-Git-Url: https://ruderich.org/simon/gitweb/?a=blobdiff_plain;f=src%2Fverify.c;h=d526c1867c788f5041ac3648f37bd114a5c0f9dc;hb=412b6491a940ba3de97e5be95bd35197e51ee210;hp=f68d1bb771a63526f93fba00623fa30061b69e9e;hpb=8f9459308e695a30874a6cdcd53aa26441b87131;p=tlsproxy%2Ftlsproxy.git

diff --git a/src/verify.c b/src/verify.c
index f68d1bb..d526c18 100644
--- a/src/verify.c
+++ b/src/verify.c
@@ -79,7 +79,8 @@ int verify_tls_connection(gnutls_session_t session, const char *hostname) {
             gnutls_strerror(result));
         return -1;
     }
-    /* Definitely an invalid certificate, abort. */
+    /* Definitely an invalid certificate, abort. We don't perform any CA
+     * verification so don't check for GNUTLS_CERT_INVALID. */
     if (status & GNUTLS_CERT_REVOKED
             || status & GNUTLS_CERT_SIGNER_NOT_CA
             || status & GNUTLS_CERT_INSECURE_ALGORITHM
@@ -186,9 +187,14 @@ int verify_tls_connection(gnutls_session_t session, const char *hostname) {
         return -2;
     }
 
-    /* Check that the proxy certificate file exists and is readable for this
-     * domain. This ensures we send an "invalid" certificate even if the proxy
-     * certificate doesn't exist. */
+    /* Check that the proxy certificate file for this domain exists and is
+     * readable. This ensures we send an "invalid" certificate if the proxy
+     * certificate doesn't exist.
+     *
+     * If the file gets removed or becomes unreadable after the check we won't
+     * be able to establish a connection to the real server so this
+     * race-condition has no security issues and is only a convenience for the
+     * user. */
     if (proxy_certificate_path(hostname, path, sizeof(path)) != 0) {
         return -1;
     }
@@ -236,13 +242,13 @@ static int get_certificate_path(const char *format,
 }
 
 int proxy_certificate_path(const char *hostname, char *path, size_t size) {
-    return get_certificate_path(PROXY_SERVER_CERT_FORMAT,
+    return get_certificate_path(PROXY_SERVER_CERT_FILE_FORMAT,
                                 hostname, path, size);
 }
 
 int server_certificate_file(FILE **file, const char *hostname,
                             char *path, size_t size) {
-    if (get_certificate_path(STORED_SERVER_CERT_FORMAT,
+    if (get_certificate_path(STORED_SERVER_CERT_FILE_FORMAT,
                              hostname, path, size) != 0) {
         LOG_PERROR(ERROR, "server_certificate_file(): failed to get path");
         return -1;