/*
* Verify established TLS connections.
*
- * Copyright (C) 2011 Simon Ruderich
+ * Copyright (C) 2011-2012 Simon Ruderich
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
gnutls_x509_crt_deinit(cert);
/* Open stored server certificate file. */
- if (0 != server_certificate_path(&file, hostname, path, sizeof(path))) {
+ if (0 != server_certificate_file(&file, hostname, path, sizeof(path))) {
LOG(LOG_DEBUG, "server certificate:\n%s", server_cert);
return -1;
}
return -2;
}
+ /* Check that the proxy certificate file exists and is readable for this
+ * domain. This ensures we send an "invalid" certificate even if the proxy
+ * certificate doesn't exist. */
+ if (0 != proxy_certificate_path(hostname, path, sizeof(path))) {
+ return -1;
+ }
+ file = fopen(path, "r");
+ if (NULL == file) {
+ LOG(LOG_WARNING,
+ "verify_tls_connection(): proxy certificate doesn't exist: '%s'",
+ path);
+ return -1;
+ }
+ fclose(file);
+
return 0;
}
hostname, path, size);
}
-int server_certificate_path(FILE **file, const char *hostname,
+int server_certificate_file(FILE **file, const char *hostname,
char *path, size_t size) {
if (0 != get_certificate_path(STORED_SERVER_CERT_FORMAT,
hostname, path, size)) {
LOG_PERROR(LOG_ERROR,
- "server_certificate_path(): failed to get path");
+ "server_certificate_file(): failed to get path");
return -1;
}
if (NULL == *file) {
if (global_passthrough_unknown) {
LOG(LOG_DEBUG,
- "server_certificate_path(): failed to open '%s': %s",
+ "server_certificate_file(): failed to open '%s': %s",
path, strerror(errno));
} else {
LOG(LOG_WARNING,
- "server_certificate_path(): failed to open '%s': %s",
+ "server_certificate_file(): failed to open '%s': %s",
path, strerror(errno));
}
/* Couldn't open the file, special case. */