commit 06521da30dc1e693e2264724da101c904768b091
parent 89519e343cef03ef8a2579b5ba97ba61883dc1da
Author: Oswald Buddenhagen <ossi@users.sf.net>
Date: Sat, 12 Apr 2008 08:58:50 +0000
- accept unset CertificateFile
- print the certificate's fingerprint
- make the certificate acceptance prompt much less scary
Diffstat:
1 file changed, 14 insertions(+), 10 deletions(-)
diff --git a/src/drv_imap.c b/src/drv_imap.c
@@ -188,9 +188,11 @@ static int
verify_cert( SSL *ssl )
{
X509 *cert;
+ BIO *bio;
int err;
+ unsigned n, i;
char buf[256];
- BIO *bio;
+ unsigned char md[EVP_MAX_MD_SIZE];
cert = SSL_get_peer_certificate( ssl );
if (!cert) {
@@ -219,15 +221,18 @@ verify_cert( SSL *ssl )
BIO_read( bio, buf, sizeof(buf) - 1 );
BIO_free( bio );
info( " to: %s\n", buf );
+ if (!X509_digest( cert, EVP_md5(), md, &n ))
+ info( "*** Unable to calculate fingerprint\n" );
+ else {
+ info( "Fingerprint: " );
+ for (i = 0; i < n; i += 2)
+ info( "%02X%02X ", md[i], md[i + 1] );
+ info( "\n" );
+ }
- fputs( "\n*** WARNING *** There is no way to verify this certificate. It is\n"
- " possible that a hostile attacker has replaced the\n"
- " server certificate. Continue at your own risk!\n"
- "\nAccept this certificate anyway? [no]: ", stderr );
- if (fgets( buf, sizeof(buf), stdin ) && (buf[0] == 'y' || buf[0] == 'Y')) {
- error( "\n*** Fine, but don't say I didn't warn you!\n\n" );
+ fputs( "\nAccept certificate? [y/N]: ", stderr );
+ if (fgets( buf, sizeof(buf), stdin ) && (buf[0] == 'y' || buf[0] == 'Y'))
return 0;
- }
return -1;
}
@@ -245,8 +250,7 @@ init_ssl_ctx( imap_store_t *ctx )
ctx->SSLContext = SSL_CTX_new( method );
if (!srvc->cert_file) {
- error( "Error, CertificateFile not defined\n" );
- return -1;
+ info( "Note: CertificateFile not defined\n" );
} else if (!SSL_CTX_load_verify_locations( ctx->SSLContext, srvc->cert_file, NULL )) {
error( "Error while loading certificate file '%s': %s\n",
srvc->cert_file, ERR_error_string( ERR_get_error(), 0 ) );