On Sat, Dec 31, 2011 at 7:24 AM, Orion Poplawski <or...@cora.nwra.com> wrote:
> On 12/30/2011 11:17 PM, Paul Lesniewski wrote:
>>
>> On Fri, Dec 30, 2011 at 7:38 PM, Orion Poplawski<or...@cora.nwra.com>
>> wrote:
>>>
>>> in main.c the logic for for SSL CA init is incorrect:
>>>
>>> --- squirrelmail-imap_proxy-1.2.7/src/main.c.sslinit 2010-07-26
>>> 01:21:19.000000000 -0600
>>> +++ squirrelmail-imap_proxy-1.2.7/src/main.c 2011-12-30
>>> 20:25:31.495721931 -0700
>>> @@ -490,10 +490,10 @@ int main( int argc, char *argv[] )
>>> /* Work around all known bugs */
>>> SSL_CTX_set_options( tls_ctx, SSL_OP_ALL );
>>>
>>> - if ( ! SSL_CTX_load_verify_locations( tls_ctx,
>>> + if ( ! ( SSL_CTX_load_verify_locations( tls_ctx,
>>> PC_Struct.tls_ca_file,
>>> PC_Struct.tls_ca_path
>>> ) ||
>>> - ! SSL_CTX_set_default_verify_paths( tls_ctx ) )
>>> + SSL_CTX_set_default_verify_paths( tls_ctx ) ) )
>>> {
>>> syslog(LOG_ERR, "%s: Failed to load CA data.
>>> Exiting.", fn);
>>> exit( 1 );
>>>
>>>
>>> If SSL_CTX_load_verify_locations fails (returns 0) you want to try
>>> SSL_CTX_set_default_verify_paths. Then if both fail you want to error
>>> out. In the current code, if no tls_ca_file or tls_ca_path is specified
>>> it never calls SSL_CTX_set_default because one half of the or succeeded.
>>
>>
>> Nice catch. I think I prefer just changing the || to&& as follows
>> instead:
>>
>>
>> if ( ! SSL_CTX_load_verify_locations( tls_ctx,
>> PC_Struct.tls_ca_file,
>> PC_Struct.tls_ca_path )&&
>> ! SSL_CTX_set_default_verify_paths( tls_ctx ) )
>>
>> Seem OK with you?
>>
>
> Looks like that would work as well. However, after thinking about it some
> more I think something like this would be better:
>
> int r;
> if (PC_Struct.tls_ca_file != NULL || PC_Struct.tls_ca_path != NULL ) {
> r = SSL_CTX_load_verify_locations( tls_ctx, PC_Struct.tls_ca_file,
> PC_Struct.tls_ca_path );
> } else {
> r = SSL_CTX_set_default_verify_paths( tls_ctx );
> }
> if (r == 0) {
> syslog(LOG_ERR, "%s: Failed to load CA data. exiting.", fn);
> exit( 1 );
> }
>
> That way if someone specifies a path and it fails to initialize imapproxy
> fails to start rather than silently reverting to the ssl defaults.
You're right. Thanks for contributing to more clarity for the users
of this tool.
Thanks,
Paul
--
Paul Lesniewski
SquirrelMail Team
Please support Open Source Software by donating to SquirrelMail!
http://squirrelmail.org/donate_paul_lesniewski.php
------------------------------------------------------------------------------
Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
infrastructure or vast IT resources to deliver seamless, secure access to
virtual desktops. With this all-in-one solution, easily deploy virtual
desktops for less than the cost of PCs and save 60% on VDI infrastructure
costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
-----
squirrelmail-imapproxy mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-imapproxy@lists.sourceforge.net
List archives: http://news.gmane.org/gmane.mail.squirrelmail.imapproxy
List info (subscribe/unsubscribe/change options):
https://lists.sourceforge.net/lists/listinfo/squirrelmail-imapproxy
