On 12/30/2011 11:17 PM, Paul Lesniewski wrote:
> On Fri, Dec 30, 2011 at 7:38 PM, Orion Poplawski<[email protected]> wrote:
>> in main.c the logic for for SSL CA init is incorrect:
>>
>> --- squirrelmail-imap_proxy-1.2.7/src/main.c.sslinit 2010-07-26
>> 01:21:19.000000000 -0600
>> +++ squirrelmail-imap_proxy-1.2.7/src/main.c 2011-12-30
>> 20:25:31.495721931 -0700
>> @@ -490,10 +490,10 @@ int main( int argc, char *argv[] )
>> /* Work around all known bugs */
>> SSL_CTX_set_options( tls_ctx, SSL_OP_ALL );
>>
>> - if ( ! SSL_CTX_load_verify_locations( tls_ctx,
>> + if ( ! ( SSL_CTX_load_verify_locations( tls_ctx,
>> PC_Struct.tls_ca_file,
>> PC_Struct.tls_ca_path
>> ) ||
>> - ! SSL_CTX_set_default_verify_paths( tls_ctx ) )
>> + SSL_CTX_set_default_verify_paths( tls_ctx ) ) )
>> {
>> syslog(LOG_ERR, "%s: Failed to load CA data.
>> Exiting.", fn);
>> exit( 1 );
>>
>>
>> If SSL_CTX_load_verify_locations fails (returns 0) you want to try
>> SSL_CTX_set_default_verify_paths. Then if both fail you want to error
>> out. In the current code, if no tls_ca_file or tls_ca_path is specified
>> it never calls SSL_CTX_set_default because one half of the or succeeded.
>
> Nice catch. I think I prefer just changing the || to&& as follows instead:
>
> if ( ! SSL_CTX_load_verify_locations( tls_ctx,
> PC_Struct.tls_ca_file,
> PC_Struct.tls_ca_path )&&
> ! SSL_CTX_set_default_verify_paths( tls_ctx ) )
>
> Seem OK with you?
>
Looks like that would work as well. However, after thinking about it
some more I think something like this would be better:
int r;
if (PC_Struct.tls_ca_file != NULL || PC_Struct.tls_ca_path != NULL ) {
r = SSL_CTX_load_verify_locations( tls_ctx, PC_Struct.tls_ca_file,
PC_Struct.tls_ca_path );
} else {
r = SSL_CTX_set_default_verify_paths( tls_ctx );
}
if (r == 0) {
syslog(LOG_ERR, "%s: Failed to load CA data. exiting.", fn);
exit( 1 );
}
That way if someone specifies a path and it fails to initialize
imapproxy fails to start rather than silently reverting to the ssl defaults.
--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA/CoRA Division FAX: 303-415-9702
3380 Mitchell Lane [email protected]
Boulder, CO 80301 http://www.cora.nwra.com
------------------------------------------------------------------------------
Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
infrastructure or vast IT resources to deliver seamless, secure access to
virtual desktops. With this all-in-one solution, easily deploy virtual
desktops for less than the cost of PCs and save 60% on VDI infrastructure
costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
-----
squirrelmail-imapproxy mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: [email protected]
List archives: http://news.gmane.org/gmane.mail.squirrelmail.imapproxy
List info (subscribe/unsubscribe/change options):
https://lists.sourceforge.net/lists/listinfo/squirrelmail-imapproxy
