#define _BSD_SOURCE 1 /* Or gethostname won't be declared properly
on Linux and GNU platforms. */
-#define _XOPEN_SOURCE 1 /* Ot isascii won't be declared properly on
- VMS (at least with DECompHP C). */
#include <assert.h>
#include <errno.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
-#include <ctype.h>
#define USE_SOCKETS
#include "e_os.h"
+#define _XOPEN_SOURCE 1 /* Or isascii won't be declared properly on
+ VMS (at least with DECompHP C). */
+#include <ctype.h>
+
#include <openssl/bio.h>
#include <openssl/crypto.h>
#include <openssl/evp.h>
{
char *string;
int app_verify;
+ int allow_proxy_certs;
char *proxy_auth;
char *proxy_cond;
};
fprintf(stderr,"\n");
fprintf(stderr," -server_auth - check server certificate\n");
fprintf(stderr," -client_auth - do client authentication\n");
+ fprintf(stderr," -proxy - allow proxy certificates\n");
fprintf(stderr," -proxy_auth <val> - set proxy policy rights\n");
fprintf(stderr," -proxy_cond <val> - experssion to test proxy policy rights\n");
fprintf(stderr," -v - more output\n");
int client_auth=0;
int server_auth=0,i;
struct app_verify_arg app_verify_arg =
- { APP_CALLBACK_STRING, 0, NULL, NULL };
+ { APP_CALLBACK_STRING, 0, 0, NULL, NULL };
char *server_cert=TEST_SERVER_CERT;
char *server_key=NULL;
char *client_cert=TEST_CLIENT_CERT;
{
app_verify_arg.app_verify = 1;
}
+ else if (strcmp(*argv,"-proxy") == 0)
+ {
+ app_verify_arg.allow_proxy_certs = 1;
+ }
else
{
fprintf(stderr,"unknown option %s\n",*argv);
fprintf(stderr,"depth=%d %s\n",
ctx->error_depth,buf);
else
+ {
fprintf(stderr,"depth=%d error=%d %s\n",
ctx->error_depth,ctx->error,buf);
+ }
}
if (ok == 0)
{
+ fprintf(stderr,"Error string: %s\n",
+ X509_verify_cert_error_string(ctx->error));
switch (ctx->error)
{
case X509_V_ERR_CERT_NOT_YET_VALID:
case X509_V_ERR_CERT_HAS_EXPIRED:
case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
+ fprintf(stderr," ... ignored.\n");
ok=1;
}
}
X509_STORE_CTX_set_ex_data(ctx,
get_proxy_auth_ex_data_idx(),letters);
}
+ if (cb_arg->allow_proxy_certs)
+ {
+ X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS);
+ }
#ifndef OPENSSL_NO_X509_VERIFY
# ifdef OPENSSL_FIPS