Option to reject S2S connection if untrusted certificate (EJAB-464)

author: Badlop <badlop@process-one.net> 2010-12-11 02:28:50 +0100
committer: Badlop <badlop@process-one.net> 2010-12-11 02:29:53 +0100
commit: b9bbe19d4ce697fd500f5869609752eebd278cb9 (patch)
tree: 7af825b50f8280d77a45c1e31c10118ec47568ac /src/tls/tls_drv.c
parent: Include From attribute in the stream header of outgoing S2S connections (diff)
1 files changed, 6 insertions, 3 deletions
diff --git a/src/tls/tls_drv.c b/src/tls/tls_drv.c
index fd4e7fff2..ae8707625 100644
--- a/src/tls/tls_drv.c
+++ b/src/tls/tls_drv.c
@@ -349,13 +349,16 @@ static int tls_drv_control(ErlDrvData handle,
 #ifdef SSL_MODE_RELEASE_BUFFERS
 	    SSL_CTX_set_mode(ctx, SSL_MODE_RELEASE_BUFFERS);
 #endif
+	    /* SSL_CTX_load_verify_locations(ctx, "/etc/ejabberd/ca_certificates.pem", NULL); */
+	    /* SSL_CTX_load_verify_locations(ctx, NULL, "/etc/ejabberd/ca_certs/"); */
 
-	    if (command == SET_CERTIFICATE_FILE_ACCEPT)
-	    {
+	    /* This IF is commented to allow verification in all cases: */
+	    /* if (command == SET_CERTIFICATE_FILE_ACCEPT) */
+	    /* { */
 	       SSL_CTX_set_verify(ctx,
 				  SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE,
 				  verify_callback);
-	    }
+	    /* } */
 
 	    ssl_ctx = ctx;
 	    hash_table_insert(buf, mtime, ssl_ctx);
author	Badlop <badlop@process-one.net>	2010-12-11 02:28:50 +0100
committer	Badlop <badlop@process-one.net>	2010-12-11 02:29:53 +0100
commit	b9bbe19d4ce697fd500f5869609752eebd278cb9 (patch)
tree	7af825b50f8280d77a45c1e31c10118ec47568ac /src/tls/tls_drv.c
parent	Include From attribute in the stream header of outgoing S2S connections (diff)