Re: [SM-imapproxy] SSL initialization logic error

Orion Poplawski Sat, 31 Dec 2011 07:25:47 -0800

On 12/30/2011 11:17 PM, Paul Lesniewski wrote:
> On Fri, Dec 30, 2011 at 7:38 PM, Orion Poplawski<or...@cora.nwra.com>  wrote:
>> in main.c the logic for for SSL CA init is incorrect:
>>
>> --- squirrelmail-imap_proxy-1.2.7/src/main.c.sslinit    2010-07-26
>> 01:21:19.000000000 -0600
>> +++ squirrelmail-imap_proxy-1.2.7/src/main.c    2011-12-30
>> 20:25:31.495721931 -0700
>> @@ -490,10 +490,10 @@ int main( int argc, char *argv[] )
>>              /* Work around all known bugs */
>>              SSL_CTX_set_options( tls_ctx, SSL_OP_ALL );
>>
>> -           if ( ! SSL_CTX_load_verify_locations( tls_ctx,
>> +           if ( ! ( SSL_CTX_load_verify_locations( tls_ctx,
>>                                                    PC_Struct.tls_ca_file,
>>                                                    PC_Struct.tls_ca_path
>> ) ||
>> -                ! SSL_CTX_set_default_verify_paths( tls_ctx ) )
>> +                    SSL_CTX_set_default_verify_paths( tls_ctx ) ) )
>>              {
>>                  syslog(LOG_ERR, "%s: Failed to load CA data.
>> Exiting.", fn);
>>                  exit( 1 );
>>
>>
>> If SSL_CTX_load_verify_locations fails (returns 0) you want to try
>> SSL_CTX_set_default_verify_paths.  Then if both fail you want to error
>> out.  In the current code, if no tls_ca_file or tls_ca_path is specified
>> it never calls SSL_CTX_set_default because one half of the or succeeded.
>
> Nice catch.  I think I prefer just changing the || to&&  as follows instead:
>
>          if ( ! SSL_CTX_load_verify_locations( tls_ctx,
>                                                  PC_Struct.tls_ca_file,
>                                                  PC_Struct.tls_ca_path )&&
>              ! SSL_CTX_set_default_verify_paths( tls_ctx ) )
>
> Seem OK with you?
>


Looks like that would work as well.  However, after thinking about it 
some more I think something like this would be better:

int r;
if (PC_Struct.tls_ca_file != NULL || PC_Struct.tls_ca_path != NULL ) {
   r = SSL_CTX_load_verify_locations( tls_ctx, PC_Struct.tls_ca_file, 
PC_Struct.tls_ca_path );
} else {
   r = SSL_CTX_set_default_verify_paths( tls_ctx );
}
if (r == 0) {
      syslog(LOG_ERR, "%s: Failed to load CA data. exiting.", fn);
      exit( 1 );
}

That way if someone specifies a path and it fails to initialize 
imapproxy fails to start rather than silently reverting to the ssl defaults.


-- 
Orion Poplawski
Technical Manager                     303-415-9701 x222
NWRA/CoRA Division                    FAX: 303-415-9702
3380 Mitchell Lane                  or...@cora.nwra.com
Boulder, CO 80301              http://www.cora.nwra.com

------------------------------------------------------------------------------
Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
infrastructure or vast IT resources to deliver seamless, secure access to
virtual desktops. With this all-in-one solution, easily deploy virtual 
desktops for less than the cost of PCs and save 60% on VDI infrastructure 
costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
-----
squirrelmail-imapproxy mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-imapproxy@lists.sourceforge.net
List archives: http://news.gmane.org/gmane.mail.squirrelmail.imapproxy
List info (subscribe/unsubscribe/change options): 
https://lists.sourceforge.net/lists/listinfo/squirrelmail-imapproxy

Re: [SM-imapproxy] SSL initialization logic error

Reply via email to