#define CERTIFICATE_AUTHORITY_KEY "keyid:always"
#define CERTIFICATE_ALT_NAME_PREFIX "DNS:"
#define CERTIFICATE_VERSION 2
-#define VALID_DATETIME_FMT "%Y%m%d%H%M%SZ"
+#define VALID_DATETIME_FMT "%y%m%d%H%M%SZ"
#define VALID_DATETIME_BUFLEN 16
static int generate_webpage_certificate(struct client_state *csp);
if (len > (sizeof(last->file_buf) - 1))
{
log_error(LOG_LEVEL_ERROR,
- "X509 PEM cert len %d is larger then buffer len %s",
+ "X509 PEM cert len %ld is larger than buffer len %lu",
len, sizeof(last->file_buf) - 1);
len = sizeof(last->file_buf) - 1;
}
if (BIO_puts(bio, "serial number : ") <= 0)
{
- log_ssl_errors(LOG_LEVEL_ERROR, "BIO_write() for serial failed");
+ log_ssl_errors(LOG_LEVEL_ERROR, "BIO_puts() for serial failed");
ret = -1;
goto exit;
}
tsig_alg = X509_get0_tbs_sigalg(crt);
if (!i2a_ASN1_OBJECT(bio, tsig_alg->algorithm))
{
- log_ssl_errors(LOG_LEVEL_ERROR, "i2a_ASN1_OBJECT() for signed using on failed");
+ log_ssl_errors(LOG_LEVEL_ERROR, "i2a_ASN1_OBJECT() for signed using failed");
ret = -1;
goto exit;
}
char *ca_file = NULL;
char *cert_file = NULL;
int ret = 0;
- SSL* ssl;
+ SSL *ssl;
/*
* Initializing OpenSSL structures for TLS/SSL connection
extern void close_client_ssl_connection(struct client_state *csp)
{
struct ssl_attr *ssl_attr = &csp->ssl_client_attr;
+ SSL *ssl;
if (csp->ssl_with_client_is_opened == 0)
{
* Notifying the peer that the connection is being closed.
*/
BIO_ssl_shutdown(ssl_attr->openssl_attr.bio);
+ if (BIO_get_ssl(ssl_attr->openssl_attr.bio, &ssl) != 1)
+ {
+ log_ssl_errors(LOG_LEVEL_ERROR,
+ "BIO_get_ssl() failed in close_client_ssl_connection()");
+ }
+ else
+ {
+ /*
+ * Pretend we received a shutdown alert so
+ * the BIO_free_all() call later on returns
+ * quickly.
+ */
+ SSL_set_shutdown(ssl, SSL_RECEIVED_SHUTDOWN);
+ }
free_client_ssl_structures(csp);
csp->ssl_with_client_is_opened = 0;
}
extern void close_server_ssl_connection(struct client_state *csp)
{
struct ssl_attr *ssl_attr = &csp->ssl_server_attr;
+ SSL *ssl;
if (csp->ssl_with_server_is_opened == 0)
{
* Notifying the peer that the connection is being closed.
*/
BIO_ssl_shutdown(ssl_attr->openssl_attr.bio);
+ if (BIO_get_ssl(ssl_attr->openssl_attr.bio, &ssl) != 1)
+ {
+ log_ssl_errors(LOG_LEVEL_ERROR,
+ "BIO_get_ssl() failed in close_server_ssl_connection()");
+ }
+ else
+ {
+ /*
+ * Pretend we received a shutdown alert so
+ * the BIO_free_all() call later on returns
+ * quickly.
+ */
+ SSL_set_shutdown(ssl, SSL_RECEIVED_SHUTDOWN);
+ }
free_server_ssl_structures(csp);
csp->ssl_with_server_is_opened = 0;
}
else
{
csp->server_cert_verification_result = verify_result;
- log_error(LOG_LEVEL_ERROR, "SSL_get_verify_result failed: %s",
- X509_verify_cert_error_string(verify_result));
+ log_error(LOG_LEVEL_ERROR,
+ "X509 certificate verification for %s failed: %s",
+ csp->http->hostport, X509_verify_cert_error_string(verify_result));
ret = -1;
goto exit;
}
goto exit;
}
- BN_set_word(exp, RSA_KEY_PUBLIC_EXPONENT);
+ if (BN_set_word(exp, RSA_KEY_PUBLIC_EXPONENT) != 1)
+ {
+ log_ssl_errors(LOG_LEVEL_ERROR, "Setting RSA key exponent failed");
+ ret = -1;
+ goto exit;
+ }
key_file_path = make_certs_path(csp->config->certificate_directory,
(char *)csp->http->hash_of_host_hex, KEY_FILE_TYPE);
{
log_ssl_errors(LOG_LEVEL_ERROR,
"Error checking certificate %s validity", cert_file);
+ ret = -1;
}
X509_free(cert);
{
log_ssl_errors(LOG_LEVEL_ERROR,
"X509 subject name (code: %s, val: %s) error",
- CERT_PARAM_COMMON_NAME_FCODE, csp->http->host);
+ CERT_PARAM_ORGANIZATION_FCODE, csp->http->host);
ret = -1;
goto exit;
}
{
log_ssl_errors(LOG_LEVEL_ERROR,
"X509 subject name (code: %s, val: %s) error",
- CERT_PARAM_COMMON_NAME_FCODE, csp->http->host);
+ CERT_PARAM_ORG_UNIT_FCODE, csp->http->host);
ret = -1;
goto exit;
}
{
log_ssl_errors(LOG_LEVEL_ERROR,
"X509 subject name (code: %s, val: %s) error",
- CERT_PARAM_COMMON_NAME_FCODE, csp->http->host);
+ CERT_PARAM_COUNTRY_FCODE, csp->http->host);
ret = -1;
goto exit;
}
if (!X509_set_pubkey(cert, loaded_subject_key))
{
log_ssl_errors(LOG_LEVEL_ERROR,
- "Setting issuer name in signed certificate failed");
+ "Setting public key in signed certificate failed");
ret = -1;
goto exit;
}
if (!X509_set_subject_name(cert, subject_name))
{
log_ssl_errors(LOG_LEVEL_ERROR,
- "Setting issuer name in signed certificate failed");
+ "Setting subject name in signed certificate failed");
ret = -1;
goto exit;
}
if (!X509_set1_notBefore(cert, asn_time))
{
log_ssl_errors(LOG_LEVEL_ERROR,
- "Setting valid not befre in signed certificate failed");
+ "Setting valid not before in signed certificate failed");
ret = -1;
goto exit;
}
if (!set_x509_ext(cert, issuer_cert, NID_subject_key_identifier, CERTIFICATE_SUBJECT_KEY))
{
log_ssl_errors(LOG_LEVEL_ERROR,
- "Setting the Subject Key Identifie extension failed");
+ "Setting the Subject Key Identifier extension failed");
ret = -1;
goto exit;
}
if (!host_is_ip_address(csp->http->host) &&
!set_subject_alternative_name(cert, issuer_cert, csp->http->host))
{
- log_ssl_errors(LOG_LEVEL_ERROR, "Setting the Subject Alt Nameextension failed");
+ log_ssl_errors(LOG_LEVEL_ERROR,
+ "Setting the Subject Alt Name extension failed");
ret = -1;
goto exit;
}
{
if (ssl_inited == 1)
{
+#ifndef OPENSSL_NO_COMP
SSL_COMP_free_compression_methods();
-
+#endif
CONF_modules_free();
CONF_modules_unload(1);
-
+#ifndef OPENSSL_NO_COMP
COMP_zlib_cleanup();
+#endif
ERR_free_strings();
EVP_cleanup();
projects / privoxy.git / blobdiff