From 85b587f93d7f1294fae78317c0841a30aaa03583 Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Mon, 19 May 2008 18:52:44 +0200 Subject: first implementation of TLS server client authentication check The TLS server now checks the client fingerprint. This works, but is highly experimental. Needs to be refined for practice. Also: - implemented permittedPeers helper construct to store names - changed omfwd implementation to use new permittedPeers --- runtime/nsdsel_gtls.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) (limited to 'runtime/nsdsel_gtls.c') diff --git a/runtime/nsdsel_gtls.c b/runtime/nsdsel_gtls.c index e54693dc..082a044b 100644 --- a/runtime/nsdsel_gtls.c +++ b/runtime/nsdsel_gtls.c @@ -128,12 +128,10 @@ doRetry(nsd_gtls_t *pNsd) switch(pNsd->rtryCall) { case gtlsRtry_handshake: gnuRet = gnutls_handshake(pNsd->sess); - dbgprintf("handshake ret %d\n", gnuRet); if(gnuRet == 0) { + pNsd->rtryCall = gtlsRtry_None; /* we are done */ /* we got a handshake, now check authorization */ - // TODO: do it! - dbgprintf("handshake done\n"); - gtlsChkFingerprint(pNsd); + CHKiRet(gtlsChkFingerprint(pNsd)); } break; default: @@ -157,6 +155,9 @@ doRetry(nsd_gtls_t *pNsd) */ finalize_it: + if(iRet != RS_RET_OK) + pNsd->bAbortConn = 1; /* request abort */ +RUNLOG_VAR("%d", pNsd->bAbortConn); RETiRet; } -- cgit