tls_verify correction: Don't fail cert verification in non-GnuTLS modules

unless "cafile" setting is enabled.
author: Wilmer van der Gaast <wilmer@gaast.net> 2011-12-23 23:40:17 +0100
committer: Wilmer van der Gaast <wilmer@gaast.net> 2011-12-23 23:40:17 +0100
commit: 200e151edbbcbb164e7fe2a01a28a0c1c9108972 (patch)
tree: ba51f16352b0fab2911aae8298642a153aec82f6 /lib/ssl_openssl.c
parent: 792a93b417c24a206d8995ca8bf51482f20e997e (diff)
1 files changed, 3 insertions, 4 deletions
diff --git a/lib/ssl_openssl.c b/lib/ssl_openssl.c
index 955c8274..5c38d0e9 100644
--- a/lib/ssl_openssl.c
+++ b/lib/ssl_openssl.c
@@ -90,7 +90,7 @@ void *ssl_starttls( int fd, char *hostname, gboolean verify, ssl_input_function
 	conn->func = func;
 	conn->data = data;
 	conn->inpa = -1;
-	conn->verify = verify;
+	conn->verify = verify && global.conf->cafile;
 	
 	/* This function should be called via a (short) timeout instead of
 	   directly from here, because these SSL calls are *supposed* to be
@@ -118,12 +118,11 @@ static gboolean ssl_connected( gpointer data, gint source, b_input_condition con
 	struct scd *conn = data;
 	SSL_METHOD *meth;
 	
-	/* Right now we don't have any verification functionality for openssl so we 
-	   fail in case verification has been requested by the user. */
+	/* Right now we don't have any verification functionality for OpenSSL. */
 
 	if( conn->verify )
 	{
-		conn->func( conn->data, OPENSSL_VERIFY_ERROR, NULL, cond );
+		conn->func( conn->data, 1, NULL, cond );
 		if( source >= 0 ) closesocket( source );
 		g_free( conn );
author	Wilmer van der Gaast <wilmer@gaast.net>	2011-12-23 23:40:17 +0100
committer	Wilmer van der Gaast <wilmer@gaast.net>	2011-12-23 23:40:17 +0100
commit	200e151edbbcbb164e7fe2a01a28a0c1c9108972 (patch)
tree	ba51f16352b0fab2911aae8298642a153aec82f6 /lib/ssl_openssl.c
parent	792a93b417c24a206d8995ca8bf51482f20e997e (diff)