X-Git-Url: https://git.openssl.org/gitweb/?a=blobdiff_plain;f=ssl%2Fssltest.c;h=9e565fb8466ed4e1a4db08fc63ecf9a9cbe06ff8;hb=7c7667b86b481c7516d147cd50ece203d3eb58ab;hp=e57a8e7540f8f968f263717478f4afe987276bd4;hpb=a963395a7b2fecce40d8ef5b0f8192866253e8a7;p=openssl.git

diff --git a/ssl/ssltest.c b/ssl/ssltest.c
index e57a8e7540..9e565fb846 100644
--- a/ssl/ssltest.c
+++ b/ssl/ssltest.c
@@ -190,6 +190,7 @@ struct app_verify_arg
 	{
 	char *string;
 	int app_verify;
+	int allow_proxy_certs;
 	char *proxy_auth;
 	char *proxy_cond;
 	};
@@ -223,6 +224,7 @@ static void sv_usage(void)
 	fprintf(stderr,"\n");
 	fprintf(stderr," -server_auth  - check server certificate\n");
 	fprintf(stderr," -client_auth  - do client authentication\n");
+	fprintf(stderr," -proxy        - allow proxy certificates\n");
 	fprintf(stderr," -proxy_auth <val> - set proxy policy rights\n");
 	fprintf(stderr," -proxy_cond <val> - experssion to test proxy policy rights\n");
 	fprintf(stderr," -v            - more output\n");
@@ -383,7 +385,7 @@ int main(int argc, char *argv[])
 	int client_auth=0;
 	int server_auth=0,i;
 	struct app_verify_arg app_verify_arg =
-		{ APP_CALLBACK_STRING, 0, NULL, NULL };
+		{ APP_CALLBACK_STRING, 0, 0, NULL, NULL };
 	char *server_cert=TEST_SERVER_CERT;
 	char *server_key=NULL;
 	char *client_cert=TEST_CLIENT_CERT;
@@ -580,6 +582,10 @@ int main(int argc, char *argv[])
 			{
 			app_verify_arg.app_verify = 1;
 			}
+		else if	(strcmp(*argv,"-proxy") == 0)
+			{
+			app_verify_arg.allow_proxy_certs = 1;
+			}
 		else
 			{
 			fprintf(stderr,"unknown option %s\n",*argv);
@@ -1606,17 +1612,22 @@ static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
 			fprintf(stderr,"depth=%d %s\n",
 				ctx->error_depth,buf);
 		else
+			{
 			fprintf(stderr,"depth=%d error=%d %s\n",
 				ctx->error_depth,ctx->error,buf);
+			}
 		}
 
 	if (ok == 0)
 		{
+		fprintf(stderr,"Error string: %s\n",
+			X509_verify_cert_error_string(ctx->error));
 		switch (ctx->error)
 			{
 		case X509_V_ERR_CERT_NOT_YET_VALID:
 		case X509_V_ERR_CERT_HAS_EXPIRED:
 		case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
+			fprintf(stderr,"  ... ignored.\n");
 			ok=1;
 			}
 		}
@@ -2018,6 +2029,10 @@ static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg)
 		X509_STORE_CTX_set_ex_data(ctx,
 			get_proxy_auth_ex_data_idx(),letters);
 		}
+	if (cb_arg->allow_proxy_certs)
+		{
+		X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS);
+		}
 
 #ifndef OPENSSL_NO_X509_VERIFY
 # ifdef OPENSSL_FIPS