From b9bbe19d4ce697fd500f5869609752eebd278cb9 Mon Sep 17 00:00:00 2001
From: Badlop <badlop@process-one.net>
Date: Sat, 11 Dec 2010 02:28:50 +0100
Subject: Option to reject S2S connection if untrusted certificate (EJAB-464)

---
 src/tls/tls_drv.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

(limited to 'src/tls/tls_drv.c')

diff --git a/src/tls/tls_drv.c b/src/tls/tls_drv.c
index fd4e7fff..ae870762 100644
--- a/src/tls/tls_drv.c
+++ b/src/tls/tls_drv.c
@@ -349,13 +349,16 @@ static int tls_drv_control(ErlDrvData handle,
 #ifdef SSL_MODE_RELEASE_BUFFERS
 	    SSL_CTX_set_mode(ctx, SSL_MODE_RELEASE_BUFFERS);
 #endif
+	    /* SSL_CTX_load_verify_locations(ctx, "/etc/ejabberd/ca_certificates.pem", NULL); */
+	    /* SSL_CTX_load_verify_locations(ctx, NULL, "/etc/ejabberd/ca_certs/"); */
 
-	    if (command == SET_CERTIFICATE_FILE_ACCEPT)
-	    {
+	    /* This IF is commented to allow verification in all cases: */
+	    /* if (command == SET_CERTIFICATE_FILE_ACCEPT) */
+	    /* { */
 	       SSL_CTX_set_verify(ctx,
 				  SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE,
 				  verify_callback);
-	    }
+	    /* } */
 
 	    ssl_ctx = ctx;
 	    hash_table_insert(buf, mtime, ssl_ctx);
-- 
cgit v1.2.3