1
0
mirror of https://github.com/SoftEtherVPN/SoftEtherVPN.git synced 2024-11-26 11:29:53 +03:00

Merge pull request #1391 from domosekai/master

This commit is contained in:
Yihong Wu 2021-11-25 11:09:12 +08:00 committed by GitHub
commit 8392ccd1fa
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -5670,7 +5670,7 @@ int SslCertVerifyCallback(int preverify_ok, X509_STORE_CTX *ctx)
StrCpy(clientcert->PreverifyErrMessage, PREVERIFY_ERR_MESSAGE_SIZE, (char *)msg); StrCpy(clientcert->PreverifyErrMessage, PREVERIFY_ERR_MESSAGE_SIZE, (char *)msg);
Debug("SslCertVerifyCallback preverify error: '%s'\n", msg); Debug("SslCertVerifyCallback preverify error: '%s'\n", msg);
} }
else else if (X509_STORE_CTX_get_error_depth(ctx) == 0)
{ {
cert = X509_STORE_CTX_get0_cert(ctx); cert = X509_STORE_CTX_get0_cert(ctx);
if (cert != NULL) if (cert != NULL)
@ -5736,6 +5736,13 @@ SSL_PIPE *NewSslPipeEx(bool server_mode, X *x, K *k, DH_CTX *dh, bool verify_pee
if (verify_peer) if (verify_peer)
{ {
SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, SslCertVerifyCallback); SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, SslCertVerifyCallback);
if (server_mode)
{
// Allow incomplete client trust chain
X509_VERIFY_PARAM *vpm = SSL_CTX_get0_param(ssl_ctx);
X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_PARTIAL_CHAIN);
}
} }
if (dh != NULL) if (dh != NULL)
@ -11540,17 +11547,8 @@ bool AddChainSslCert(struct ssl_ctx_st *ctx, X *x)
x_copy = CloneX(x); x_copy = CloneX(x);
if (x_copy != NULL) if (x_copy != NULL)
{
if (x_copy->root_cert)
{
X509_STORE *store = SSL_CTX_get_cert_store(ctx);
X509_STORE_add_cert(store, x_copy->x509);
X509_free(x_copy->x509);
}
else
{ {
SSL_CTX_add_extra_chain_cert(ctx, x_copy->x509); SSL_CTX_add_extra_chain_cert(ctx, x_copy->x509);
}
x_copy->do_not_free = true; x_copy->do_not_free = true;
ret = true; ret = true;