Verify the server certificate against a stored copy.

[tlsproxy/tlsproxy.git] / src / connection.c

diff --git a/src/connection.c b/src/connection.c
index 520ce40e031a0052581a7c2dc27e93c649fbf74f..1421afa0c384073e51776b5bda129f031d1fcf29 100644 (file)
--- a/src/connection.c
+++ b/src/connection.c
@@ -19,6 +19,7 @@
 
 #include "tlsproxy.h"
 #include "connection.h"
+#include "verify.h"
 
 /* close() */
 #include <unistd.h>
@@ -47,6 +48,7 @@ static int initialize_tls_session_server(int peer_socket,
 static int read_http_request(FILE *client_fd, char *request, size_t length);
 static void send_bad_request(FILE *client_fd);
 static void send_forwarding_failure(FILE *client_fd);
+static void tls_send_server_error(gnutls_session_t session);
 
 #if 0
 static void transfer_data(int client, int server);
@@ -227,7 +229,12 @@ void handle_connection(int client_socket) {
 
     LOG(LOG_DEBUG, "server TLS handshake finished, transferring data");
 
-    /* FIXME: verify server's fingerprint */
+    /* Make sure the server certificate is valid and known. */
+    if (0 != verify_tls_connection(server_session, host)) {
+        LOG(LOG_ERROR, "server certificate validation failed!");
+        tls_send_server_error(client_session);
+        goto out;
+    }
 
     /* Proxy data between client and server until one suite is done (EOF or
      * error). */
@@ -440,6 +447,10 @@ static void send_forwarding_failure(FILE *client_fd) {
     fprintf(client_fd, "HTTP/1.0 503 Forwarding failure\r\n");
     fprintf(client_fd, "\r\n");
 }
+static void tls_send_server_error(gnutls_session_t session) {
+    gnutls_record_send(session, "HTTP/1.0 500 Internal Server Error\r\n", 36);
+    gnutls_record_send(session, "\r\n", 2);
+}
 
 
 #if 0