GUACAMOLE-623: Explicitly bypass certificate checks if requested.
For older versions of libwebsockets, simply requesting that OpenSSL ignore the verification result is insufficient, as libwebsockets manually checks and confirms the verification result, producing an error in all but specific cases.
This commit is contained in:
parent
7ee624844a
commit
44d3433ea9
@ -110,6 +110,27 @@ static EVP_PKEY* guac_kubernetes_read_key(char* pem) {
|
||||
|
||||
}
|
||||
|
||||
/**
|
||||
* OpenSSL certificate verification callback which universally accepts all
|
||||
* certificates without performing any verification at all.
|
||||
*
|
||||
* @param x509_ctx
|
||||
* The current context of the certificate verification process. This
|
||||
* parameter is ignored by this particular implementation of the callback.
|
||||
*
|
||||
* @param arg
|
||||
* The arbitrary value passed to SSL_CTX_set_cert_verify_callback(). This
|
||||
* parameter is ignored by this particular implementation of the callback.
|
||||
*
|
||||
* @return
|
||||
* Strictly 0 if certificate verification fails, 1 if the certificate is
|
||||
* verified. No other values are legal return values for this callback as
|
||||
* documented by OpenSSL.
|
||||
*/
|
||||
static int guac_kubernetes_assume_cert_ok(X509_STORE_CTX* x509_ctx, void* arg) {
|
||||
return 1;
|
||||
}
|
||||
|
||||
void guac_kubernetes_init_ssl(guac_client* client, SSL_CTX* context) {
|
||||
|
||||
guac_kubernetes_client* kubernetes_client =
|
||||
@ -118,8 +139,11 @@ void guac_kubernetes_init_ssl(guac_client* client, SSL_CTX* context) {
|
||||
guac_kubernetes_settings* settings = kubernetes_client->settings;
|
||||
|
||||
/* Bypass certificate checks if requested */
|
||||
if (settings->ignore_cert)
|
||||
SSL_CTX_set_verify(context, SSL_VERIFY_NONE, NULL);
|
||||
if (settings->ignore_cert) {
|
||||
SSL_CTX_set_verify(context, SSL_VERIFY_PEER, NULL);
|
||||
SSL_CTX_set_cert_verify_callback(context,
|
||||
guac_kubernetes_assume_cert_ok, NULL);
|
||||
}
|
||||
|
||||
/* Otherwise use the given CA certificate to validate (if any) */
|
||||
else if (settings->ca_cert != NULL) {
|
||||
|
Loading…
Reference in New Issue
Block a user