|
|
@ -1850,31 +1850,30 @@ tsi_result tsi_create_ssl_server_handshaker_factory_with_options( |
|
|
|
break; |
|
|
|
break; |
|
|
|
} |
|
|
|
} |
|
|
|
SSL_CTX_set_client_CA_list(impl->ssl_contexts[i], root_names); |
|
|
|
SSL_CTX_set_client_CA_list(impl->ssl_contexts[i], root_names); |
|
|
|
switch (options->client_certificate_request) { |
|
|
|
|
|
|
|
case TSI_DONT_REQUEST_CLIENT_CERTIFICATE: |
|
|
|
|
|
|
|
SSL_CTX_set_verify(impl->ssl_contexts[i], SSL_VERIFY_NONE, nullptr); |
|
|
|
|
|
|
|
break; |
|
|
|
|
|
|
|
case TSI_REQUEST_CLIENT_CERTIFICATE_BUT_DONT_VERIFY: |
|
|
|
|
|
|
|
SSL_CTX_set_verify(impl->ssl_contexts[i], SSL_VERIFY_PEER, |
|
|
|
|
|
|
|
NullVerifyCallback); |
|
|
|
|
|
|
|
break; |
|
|
|
|
|
|
|
case TSI_REQUEST_CLIENT_CERTIFICATE_AND_VERIFY: |
|
|
|
|
|
|
|
SSL_CTX_set_verify(impl->ssl_contexts[i], SSL_VERIFY_PEER, nullptr); |
|
|
|
|
|
|
|
break; |
|
|
|
|
|
|
|
case TSI_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_BUT_DONT_VERIFY: |
|
|
|
|
|
|
|
SSL_CTX_set_verify( |
|
|
|
|
|
|
|
impl->ssl_contexts[i], |
|
|
|
|
|
|
|
SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, |
|
|
|
|
|
|
|
NullVerifyCallback); |
|
|
|
|
|
|
|
break; |
|
|
|
|
|
|
|
case TSI_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY: |
|
|
|
|
|
|
|
SSL_CTX_set_verify( |
|
|
|
|
|
|
|
impl->ssl_contexts[i], |
|
|
|
|
|
|
|
SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nullptr); |
|
|
|
|
|
|
|
break; |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
/* TODO(jboeuf): Add revocation verification. */ |
|
|
|
|
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
switch (options->client_certificate_request) { |
|
|
|
|
|
|
|
case TSI_DONT_REQUEST_CLIENT_CERTIFICATE: |
|
|
|
|
|
|
|
SSL_CTX_set_verify(impl->ssl_contexts[i], SSL_VERIFY_NONE, nullptr); |
|
|
|
|
|
|
|
break; |
|
|
|
|
|
|
|
case TSI_REQUEST_CLIENT_CERTIFICATE_BUT_DONT_VERIFY: |
|
|
|
|
|
|
|
SSL_CTX_set_verify(impl->ssl_contexts[i], SSL_VERIFY_PEER, |
|
|
|
|
|
|
|
NullVerifyCallback); |
|
|
|
|
|
|
|
break; |
|
|
|
|
|
|
|
case TSI_REQUEST_CLIENT_CERTIFICATE_AND_VERIFY: |
|
|
|
|
|
|
|
SSL_CTX_set_verify(impl->ssl_contexts[i], SSL_VERIFY_PEER, nullptr); |
|
|
|
|
|
|
|
break; |
|
|
|
|
|
|
|
case TSI_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_BUT_DONT_VERIFY: |
|
|
|
|
|
|
|
SSL_CTX_set_verify(impl->ssl_contexts[i], |
|
|
|
|
|
|
|
SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, |
|
|
|
|
|
|
|
NullVerifyCallback); |
|
|
|
|
|
|
|
break; |
|
|
|
|
|
|
|
case TSI_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY: |
|
|
|
|
|
|
|
SSL_CTX_set_verify(impl->ssl_contexts[i], |
|
|
|
|
|
|
|
SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, |
|
|
|
|
|
|
|
nullptr); |
|
|
|
|
|
|
|
break; |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
/* TODO(jboeuf): Add revocation verification. */ |
|
|
|
|
|
|
|
|
|
|
|
result = extract_x509_subject_names_from_pem_cert( |
|
|
|
result = extract_x509_subject_names_from_pem_cert( |
|
|
|
options->pem_key_cert_pairs[i].cert_chain, |
|
|
|
options->pem_key_cert_pairs[i].cert_chain, |
|
|
|