Only check top-level certificate against fingerprint list.
This allows "chain" certificates to be used with the fingerprint whitelist option. A user can get a system-ca signature as backup while clients explicitly whitelist the server certificate. The user specified CA can also be combined with fingerprint whitelisting.
This commit is contained in:
parent
7c388fb358
commit
97cd1fa98d
|
@ -285,8 +285,10 @@ bool ssl_options_t::has_fingerprint(boost::asio::ssl::verify_context &ctx) const
|
||||||
MERROR("Error getting verify_context handle");
|
MERROR("Error getting verify_context handle");
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
X509 *cert =X509_STORE_CTX_get_current_cert(sctx);
|
|
||||||
if (!cert)
|
X509* cert = nullptr;
|
||||||
|
const STACK_OF(X509)* chain = X509_STORE_CTX_get_chain(sctx);
|
||||||
|
if (!chain || sk_X509_num(chain) < 1 || !(cert = sk_X509_value(chain, 0)))
|
||||||
{
|
{
|
||||||
MERROR("No certificate found in verify_context");
|
MERROR("No certificate found in verify_context");
|
||||||
return false;
|
return false;
|
||||||
|
|
Loading…
Reference in New Issue