{
char *string;
int app_verify;
+ int allow_proxy_certs;
char *proxy_auth;
char *proxy_cond;
};
fprintf(stderr,"\n");
fprintf(stderr," -server_auth - check server certificate\n");
fprintf(stderr," -client_auth - do client authentication\n");
+ fprintf(stderr," -proxy - allow proxy certificates\n");
fprintf(stderr," -proxy_auth <val> - set proxy policy rights\n");
fprintf(stderr," -proxy_cond <val> - experssion to test proxy policy rights\n");
fprintf(stderr," -v - more output\n");
int client_auth=0;
int server_auth=0,i;
struct app_verify_arg app_verify_arg =
- { APP_CALLBACK_STRING, 0, NULL, NULL };
+ { APP_CALLBACK_STRING, 0, 0, NULL, NULL };
char *server_cert=TEST_SERVER_CERT;
char *server_key=NULL;
char *client_cert=TEST_CLIENT_CERT;
{
app_verify_arg.app_verify = 1;
}
+ else if (strcmp(*argv,"-proxy") == 0)
+ {
+ app_verify_arg.allow_proxy_certs = 1;
+ }
else
{
fprintf(stderr,"unknown option %s\n",*argv);
#ifndef OPENSSL_NO_ECDH
if (!no_ecdhe)
{
- ecdh = EC_KEY_new();
- if (ecdh != NULL)
- {
- if (named_curve)
- {
- int nid = OBJ_sn2nid(named_curve);
+ int nid;
- if (nid == 0)
- {
- BIO_printf(bio_err, "unknown curve name (%s)\n", named_curve);
- EC_KEY_free(ecdh);
- goto end;
- }
-
- ecdh->group = EC_GROUP_new_by_nid(nid);
- if (ecdh->group == NULL)
- {
- BIO_printf(bio_err, "unable to create curve (%s)\n", named_curve);
- EC_KEY_free(ecdh);
- goto end;
- }
+ if (named_curve != NULL)
+ {
+ nid = OBJ_sn2nid(named_curve);
+ if (nid == 0)
+ {
+ BIO_printf(bio_err, "unknown curve name (%s)\n", named_curve);
+ goto end;
}
-
- if (ecdh->group == NULL)
- ecdh->group=EC_GROUP_new_by_nid(NID_sect163r2);
+ }
+ else
+ nid = NID_sect163r2;
- SSL_CTX_set_tmp_ecdh(s_ctx, ecdh);
- SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_ECDH_USE);
- EC_KEY_free(ecdh);
+ ecdh = EC_KEY_new_by_curve_name(nid);
+ if (ecdh == NULL)
+ {
+ BIO_printf(bio_err, "unable to create curve\n");
+ goto end;
}
+
+ SSL_CTX_set_tmp_ecdh(s_ctx, ecdh);
+ SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_ECDH_USE);
+ EC_KEY_free(ecdh);
}
#else
(void)no_ecdhe;
fprintf(stderr,"depth=%d %s\n",
ctx->error_depth,buf);
else
+ {
fprintf(stderr,"depth=%d error=%d %s\n",
ctx->error_depth,ctx->error,buf);
+ }
}
if (ok == 0)
{
+ fprintf(stderr,"Error string: %s\n",
+ X509_verify_cert_error_string(ctx->error));
switch (ctx->error)
{
case X509_V_ERR_CERT_NOT_YET_VALID:
case X509_V_ERR_CERT_HAS_EXPIRED:
case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
+ fprintf(stderr," ... ignored.\n");
ok=1;
}
}
fprintf(stderr, "In app_verify_callback, allowing cert. ");
fprintf(stderr, "Arg is: %s\n", cb_arg->string);
- fprintf(stderr, "Finished printing do we have a context? 0x%x a cert? 0x%x\n",
- (unsigned int)ctx, (unsigned int)ctx->cert);
+ fprintf(stderr, "Finished printing do we have a context? 0x%p a cert? 0x%p\n",
+ (void *)ctx, (void *)ctx->cert);
if (ctx->cert)
s=X509_NAME_oneline(X509_get_subject_name(ctx->cert),buf,256);
if (s != NULL)
X509_STORE_CTX_set_ex_data(ctx,
get_proxy_auth_ex_data_idx(),letters);
}
+ if (cb_arg->allow_proxy_certs)
+ {
+ X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS);
+ }
#ifndef OPENSSL_NO_X509_VERIFY
# ifdef OPENSSL_FIPS