Re: [SM-imapproxy] SSL initialization logic error

Fri, 30 Dec 2011 22:19:16 -0800 

On Fri, Dec 30, 2011 at 7:38 PM, Orion Poplawski <or...@cora.nwra.com> wrote:
> in main.c the logic for for SSL CA init is incorrect:
>
> --- squirrelmail-imap_proxy-1.2.7/src/main.c.sslinit    2010-07-26
> 01:21:19.000000000 -0600
> +++ squirrelmail-imap_proxy-1.2.7/src/main.c    2011-12-30
> 20:25:31.495721931 -0700
> @@ -490,10 +490,10 @@ int main( int argc, char *argv[] )
>             /* Work around all known bugs */
>             SSL_CTX_set_options( tls_ctx, SSL_OP_ALL );
>
> -           if ( ! SSL_CTX_load_verify_locations( tls_ctx,
> +           if ( ! ( SSL_CTX_load_verify_locations( tls_ctx,
>                                                   PC_Struct.tls_ca_file,
>                                                   PC_Struct.tls_ca_path
> ) ||
> -                ! SSL_CTX_set_default_verify_paths( tls_ctx ) )
> +                    SSL_CTX_set_default_verify_paths( tls_ctx ) ) )
>             {
>                 syslog(LOG_ERR, "%s: Failed to load CA data.
> Exiting.", fn);
>                 exit( 1 );
>
>
> If SSL_CTX_load_verify_locations fails (returns 0) you want to try
> SSL_CTX_set_default_verify_paths.  Then if both fail you want to error
> out.  In the current code, if no tls_ca_file or tls_ca_path is specified
> it never calls SSL_CTX_set_default because one half of the or succeeded.

Nice catch.  I think I prefer just changing the || to && as follows instead:

        if ( ! SSL_CTX_load_verify_locations( tls_ctx,
                                                PC_Struct.tls_ca_file,
                                                PC_Struct.tls_ca_path ) &&
            ! SSL_CTX_set_default_verify_paths( tls_ctx ) )

Seem OK with you?

-- 
Paul Lesniewski
SquirrelMail Team
Please support Open Source Software by donating to SquirrelMail!
http://squirrelmail.org/donate_paul_lesniewski.php

------------------------------------------------------------------------------
Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
infrastructure or vast IT resources to deliver seamless, secure access to
virtual desktops. With this all-in-one solution, easily deploy virtual 
desktops for less than the cost of PCs and save 60% on VDI infrastructure 
costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
-----
squirrelmail-imapproxy mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-imapproxy@lists.sourceforge.net
List archives: http://news.gmane.org/gmane.mail.squirrelmail.imapproxy
List info (subscribe/unsubscribe/change options): 
https://lists.sourceforge.net/lists/listinfo/squirrelmail-imapproxy

Reply via email to