upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2026-01-06 06:49:35 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

- Fix #4129 unbound-control error message with wrong cert permissions

Browse source 
is too cryptic.


git-svn-id: file:///svn/unbound/trunk@4791 be551aaa-1e26-0410-a405-d3ace91eadb9
This commit is contained in:
Wouter Wijngaards 2018-07-19 06:22:11 +00:00
parent f8e585f308
commit 38e77d50f2
2 changed files with 28 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
doc/Changelog
View file

@ -1,3 +1,7 @@
19 July 2018: Wouter
- Fix #4129 unbound-control error message with wrong cert permissions
is too cryptic.
17 July 2018: Wouter
- Fix #4127 unbound -h does not list -p help.
- Print error if SSL name verification configured but not available

29
smallapp/unbound-control.c
View file

@ -447,6 +447,22 @@ static void ssl_err(const char* s)
exit(1);
}
/** exit with ssl error related to a file path */
static void ssl_path_err(const char* s, const char *path)
{
unsigned long err;
err = ERR_peek_error();
if (ERR_GET_LIB(err) == ERR_LIB_SYS &&
(ERR_GET_FUNC(err) == SYS_F_FOPEN ||
ERR_GET_FUNC(err) == SYS_F_FREAD) ) {
fprintf(stderr, "error: %s\n%s: %s\n",
s, path, ERR_reason_error_string(err));
exit(1);
} else {
ssl_err(s);
}
}
/** setup SSL context */
static SSL_CTX*
setup_ctx(struct config_file* cfg)
@ -470,12 +486,15 @@ setup_ctx(struct config_file* cfg)
if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)
!= SSL_OP_NO_SSLv3)
ssl_err("could not set SSL_OP_NO_SSLv3");
if(!SSL_CTX_use_certificate_chain_file(ctx,c_cert) ||
!SSL_CTX_use_PrivateKey_file(ctx,c_key,SSL_FILETYPE_PEM)
|| !SSL_CTX_check_private_key(ctx))
ssl_err("Error setting up SSL_CTX client key and cert");
if(!SSL_CTX_use_certificate_chain_file(ctx,c_cert))
ssl_path_err("Error setting up SSL_CTX client cert", c_cert);
if (!SSL_CTX_use_PrivateKey_file(ctx,c_key,SSL_FILETYPE_PEM))
ssl_path_err("Error setting up SSL_CTX client key", c_key);
if (!SSL_CTX_check_private_key(ctx))
ssl_err("Error setting up SSL_CTX client key");
if (SSL_CTX_load_verify_locations(ctx, s_cert, NULL) != 1)
ssl_err("Error setting up SSL_CTX verify, server cert");
ssl_path_err("Error setting up SSL_CTX verify, server cert",
s_cert);
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
free(s_cert);