+ if (verify_tls_connection(server_session, host) != 0) {
+ LOG(ERROR, "server certificate validation failed!");
+ /* We'll send the error message over our TLS connection to the client,
+ * but with an invalid certificate. No data is transfered from/to the
+ * target server. */
+ validation_failed = 1;
+ }
+
+ /* Initialize TLS server credentials to talk to the client. */
+ result = initialize_tls_session_client(client_socket,
+ /* use a special host if the server
+ * certificate was invalid */
+ (validation_failed) ? "invalid"
+ : host,
+ &client_session,
+ &client_x509_cred);
+ if (result != 0) {
+ LOG(WARNING, "initialize_tls_session_client() failed");
+ send_forwarding_failure(client_fd_write);
+ goto out;
+ }
+ client_session_init = 1;
+
+ /* We've established a connection, tell the client. */
+ fprintf(client_fd_write, "HTTP/1.0 200 Connection established\r\n");
+ fprintf(client_fd_write, "\r\n");
+ fflush(client_fd_write);
+
+ LOG(DEBUG, "starting client TLS handshake");
+
+ /* Try to establish TLS handshake between client and us. */
+ result = gnutls_handshake(client_session);
+ if (result != GNUTLS_E_SUCCESS) {
+ LOG(WARNING, "client TLS handshake failed: %s",
+ gnutls_strerror(result));
+ send_forwarding_failure(client_fd_write);
+ goto out;
+ }
+ client_session_started = 1;
+
+ LOG(DEBUG, "client TLS handshake finished");
+
+ /* Tell the client that the verification failed. Shouldn't be necessary as
+ * the client should terminate the connection because he received the
+ * invalid certificate but better be sure. */
+ if (validation_failed) {
+ tls_send_invalid_cert_message(client_session);