On Sat, Dec 31, 2011 at 7:24 AM, Orion Poplawski <or...@cora.nwra.com> wrote: > On 12/30/2011 11:17 PM, Paul Lesniewski wrote: >> >> On Fri, Dec 30, 2011 at 7:38 PM, Orion Poplawski<or...@cora.nwra.com> >> wrote: >>> >>> in main.c the logic for for SSL CA init is incorrect: >>> >>> --- squirrelmail-imap_proxy-1.2.7/src/main.c.sslinit 2010-07-26 >>> 01:21:19.000000000 -0600 >>> +++ squirrelmail-imap_proxy-1.2.7/src/main.c 2011-12-30 >>> 20:25:31.495721931 -0700 >>> @@ -490,10 +490,10 @@ int main( int argc, char *argv[] ) >>> /* Work around all known bugs */ >>> SSL_CTX_set_options( tls_ctx, SSL_OP_ALL ); >>> >>> - if ( ! SSL_CTX_load_verify_locations( tls_ctx, >>> + if ( ! ( SSL_CTX_load_verify_locations( tls_ctx, >>> PC_Struct.tls_ca_file, >>> PC_Struct.tls_ca_path >>> ) || >>> - ! SSL_CTX_set_default_verify_paths( tls_ctx ) ) >>> + SSL_CTX_set_default_verify_paths( tls_ctx ) ) ) >>> { >>> syslog(LOG_ERR, "%s: Failed to load CA data. >>> Exiting.", fn); >>> exit( 1 ); >>> >>> >>> If SSL_CTX_load_verify_locations fails (returns 0) you want to try >>> SSL_CTX_set_default_verify_paths. Then if both fail you want to error >>> out. In the current code, if no tls_ca_file or tls_ca_path is specified >>> it never calls SSL_CTX_set_default because one half of the or succeeded. >> >> >> Nice catch. I think I prefer just changing the || to&& as follows >> instead: >> >> >> if ( ! SSL_CTX_load_verify_locations( tls_ctx, >> PC_Struct.tls_ca_file, >> PC_Struct.tls_ca_path )&& >> ! SSL_CTX_set_default_verify_paths( tls_ctx ) ) >> >> Seem OK with you? >> > > Looks like that would work as well. However, after thinking about it some > more I think something like this would be better: > > int r; > if (PC_Struct.tls_ca_file != NULL || PC_Struct.tls_ca_path != NULL ) { > r = SSL_CTX_load_verify_locations( tls_ctx, PC_Struct.tls_ca_file, > PC_Struct.tls_ca_path ); > } else { > r = SSL_CTX_set_default_verify_paths( tls_ctx ); > } > if (r == 0) { > syslog(LOG_ERR, "%s: Failed to load CA data. exiting.", fn); > exit( 1 ); > } > > That way if someone specifies a path and it fails to initialize imapproxy > fails to start rather than silently reverting to the ssl defaults.
You're right. Thanks for contributing to more clarity for the users of this tool. Thanks, Paul -- Paul Lesniewski SquirrelMail Team Please support Open Source Software by donating to SquirrelMail! http://squirrelmail.org/donate_paul_lesniewski.php ------------------------------------------------------------------------------ Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex infrastructure or vast IT resources to deliver seamless, secure access to virtual desktops. With this all-in-one solution, easily deploy virtual desktops for less than the cost of PCs and save 60% on VDI infrastructure costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox ----- squirrelmail-imapproxy mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-imapproxy@lists.sourceforge.net List archives: http://news.gmane.org/gmane.mail.squirrelmail.imapproxy List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-imapproxy