summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorvenaas <venaas>2007-11-20 14:54:18 +0000
committervenaas <venaas@e88ac4ed-0b26-0410-9574-a7f39faa03bf>2007-11-20 14:54:18 +0000
commitdcc1af59f992546b8b8e124c103cc3454f580377 (patch)
tree274842b69f1f85a792e7cbfd2294d22ef1c8fa46
parenta3ec1192ba229cb3874fe0ba2a1aa5bbd6f70592 (diff)
now setting client_CA_list
git-svn-id: https://svn.testnett.uninett.no/radsecproxy/trunk@195 e88ac4ed-0b26-0410-9574-a7f39faa03bf
-rw-r--r--radsecproxy.c19
1 files changed, 19 insertions, 0 deletions
diff --git a/radsecproxy.c b/radsecproxy.c
index bf3d875..7a6e4c8 100644
--- a/radsecproxy.c
+++ b/radsecproxy.c
@@ -2238,6 +2238,7 @@ int tlslistener() {
void tlsadd(char *value, char *cacertfile, char *cacertpath, char *certfile, char *certkeyfile, char *certkeypwd) {
struct tls *new;
SSL_CTX *ctx;
+ STACK_OF(X509_NAME) *calist;
int i;
unsigned long error;
@@ -2280,6 +2281,24 @@ void tlsadd(char *value, char *cacertfile, char *cacertpath, char *certfile, cha
debug(DBG_ERR, "SSL: %s", ERR_error_string(error, NULL));
debugx(1, DBG_ERR, "Error initialising SSL/TLS in TLS context %s", value);
}
+
+ calist = cacertfile ? SSL_load_client_CA_file(cacertfile) : NULL;
+ if (!cacertfile || calist) {
+ if (cacertpath) {
+ if (!calist)
+ calist = sk_X509_NAME_new_null();
+ if (!SSL_add_dir_cert_subjects_to_stack(calist, cacertpath)) {
+ sk_X509_NAME_free(calist);
+ calist = NULL;
+ }
+ }
+ }
+ if (!calist) {
+ while ((error = ERR_get_error()))
+ debug(DBG_ERR, "SSL: %s", ERR_error_string(error, NULL));
+ debugx(1, DBG_ERR, "Error adding CA subjects in TLS context %s", value);
+ }
+ SSL_CTX_set_client_CA_list(ctx, calist);
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_cb);
SSL_CTX_set_verify_depth(ctx, MAX_CERT_DEPTH + 1);