Added possibility to load CA certificates from chain_certs folder to allow verifying the client certificates against it.

2025-07-07 00:04:57 +03:00 · 2020-05-02 14:40:46 +03:00
parent 24bd2b3198
commit a2b7cb0148
3 changed files with 14 additions and 8 deletions
--- a/src/Mayaqua/Network.c
+++ b/src/Mayaqua/Network.c
@ -5689,7 +5689,7 @@ int SslCertVerifyCallback(int preverify_ok, X509_STORE_CTX *ctx)
 	{
 		clientcert->PreverifyErr = X509_STORE_CTX_get_error(ctx);
 		clientcert->PreverifyErrMessage[0] = '\0';
-		if (!preverify_ok && !clientcert->IgnorePreverifyErr)
+		if (!preverify_ok)
 		{
 			const char *msg = X509_verify_cert_error_string(clientcert->PreverifyErr);
 			StrCpy(clientcert->PreverifyErrMessage, PREVERIFY_ERR_MESSAGE_SIZE, (char *)msg);
@ -11785,7 +11785,15 @@ bool AddChainSslCert(struct ssl_ctx_st *ctx, X *x)

 	if (x_copy != NULL)
 	{
-		SSL_CTX_add_extra_chain_cert(ctx, x_copy->x509);
+		if (x_copy->root_cert)
+		{
+			X509_STORE* store = SSL_CTX_get_cert_store(ctx);
+			X509_STORE_add_cert(store, x->x509);
+		}
+		else
+		{
+			SSL_CTX_add_extra_chain_cert(ctx, x_copy->x509);
+		}
 		x_copy->do_not_free = true;

 		ret = true;
--- a/src/Mayaqua/Network.h
+++ b/src/Mayaqua/Network.h
@ -1403,7 +1403,6 @@ void UnixWaitForTubes(TUBE **tubes, UINT num, UINT timeout);
 #define PREVERIFY_ERR_MESSAGE_SIZE 100
 // Info on client certificate collected during TLS handshake
 struct SslClientCertInfo {
-	bool IgnorePreverifyErr;
 	int PreverifyErr;
 	char PreverifyErrMessage[PREVERIFY_ERR_MESSAGE_SIZE];
 	X *X;