INN commit: trunk/nnrpd (tls.c)

INN Commit rra at isc.org
Tue Apr 19 20:06:39 UTC 2016


    Date: Tuesday, April 19, 2016 @ 13:06:38
  Author: iulius
Revision: 10008

Fix build with OpenSSL 1.1.0 - a few X509_xxx types are now opaque

Check that the current certificate returned by
X509_STORE_CTX_get_current_cert() is not NULL.  In the switch part,
err_cert is not NULL though because otherwise the error would have been
different than X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT.

Modified:
  trunk/nnrpd/tls.c

-------+
 tls.c |   15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

Modified: tls.c
===================================================================
--- tls.c	2016-04-19 20:03:02 UTC (rev 10007)
+++ tls.c	2016-04-19 20:06:38 UTC (rev 10008)
@@ -244,9 +244,13 @@
     err = X509_STORE_CTX_get_error(ctx);
     depth = X509_STORE_CTX_get_error_depth(ctx);
 
-    X509_NAME_oneline(X509_get_subject_name(err_cert), buf, sizeof(buf));
-    if ((tls_serveractive) && (tls_loglevel >= 1))
-      Printf("Peer cert verify depth=%d %s", depth, buf);
+    if (err_cert != NULL) {
+        X509_NAME_oneline(X509_get_subject_name(err_cert), buf, sizeof(buf));
+        if ((tls_serveractive) && (tls_loglevel >= 1)) {
+            Printf("Peer cert verify depth=%d %s", depth, buf);
+        }
+    }
+    
     if (ok==0)
     {
       syslog(L_NOTICE, "verify error:num=%d:%s", err,
@@ -260,9 +264,10 @@
 	    verify_error = X509_V_ERR_CERT_CHAIN_TOO_LONG;
 	}
     }
-    switch (ctx->error) {
+
+    switch (err) {
     case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
-	X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), buf, sizeof(buf));
+	X509_NAME_oneline(X509_get_issuer_name(err_cert), buf, sizeof(buf));
 	syslog(L_NOTICE, "issuer= %s", buf);
 	break;
     case X509_V_ERR_CERT_NOT_YET_VALID:



More information about the inn-committers mailing list