Option to reject S2S connection if untrusted certificate (EJAB-464)

author: Badlop <badlop@process-one.net> 2011-01-11 01:49:32 +0100
committer: Badlop <badlop@process-one.net> 2011-01-11 16:38:33 +0100
commit: 2d0d46e2965d1516d1f87603919abcd1f06f8311 (patch)
tree: 8e6818b8b9e310d3a821a160d58b319afa6174ee /src/tls/tls_drv.c
parent: Include From attribute in the stream header of outgoing S2S connections (diff)
1 files changed, 6 insertions, 3 deletions
diff --git a/src/tls/tls_drv.c b/src/tls/tls_drv.c
index fd4e7fff2..ae8707625 100644
--- a/src/tls/tls_drv.c
+++ b/src/tls/tls_drv.c
@@ -349,13 +349,16 @@ static int tls_drv_control(ErlDrvData handle,
 #ifdef SSL_MODE_RELEASE_BUFFERS
 	    SSL_CTX_set_mode(ctx, SSL_MODE_RELEASE_BUFFERS);
 #endif
+	    /* SSL_CTX_load_verify_locations(ctx, "/etc/ejabberd/ca_certificates.pem", NULL); */
+	    /* SSL_CTX_load_verify_locations(ctx, NULL, "/etc/ejabberd/ca_certs/"); */
 
-	    if (command == SET_CERTIFICATE_FILE_ACCEPT)
-	    {
+	    /* This IF is commented to allow verification in all cases: */
+	    /* if (command == SET_CERTIFICATE_FILE_ACCEPT) */
+	    /* { */
 	       SSL_CTX_set_verify(ctx,
 				  SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE,
 				  verify_callback);
-	    }
+	    /* } */
 
 	    ssl_ctx = ctx;
 	    hash_table_insert(buf, mtime, ssl_ctx);
author	Badlop <badlop@process-one.net>	2011-01-11 01:49:32 +0100
committer	Badlop <badlop@process-one.net>	2011-01-11 16:38:33 +0100
commit	2d0d46e2965d1516d1f87603919abcd1f06f8311 (patch)
tree	8e6818b8b9e310d3a821a160d58b319afa6174ee /src/tls/tls_drv.c
parent	Include From attribute in the stream header of outgoing S2S connections (diff)