Message ID | 20171126141555.25930-3-steffan@karger.me |
---|---|
State | Accepted |
Headers | show |
Series | [Openvpn-devel,1/3] Fix --tls-version-min and --tls-version-max for OpenSSL 1.1+ | expand |
Acked-by: Gert Doering <gert@greenie.muc.de> Cleanup, no effective code change. Your patch has been applied to the master branch. commit e05aca4517b666740b384399348b995a3a646629 Author: Steffan Karger Date: Sun Nov 26 15:15:55 2017 +0100 tls_ctx_set_tls_versions: move verify_flags to where it is used Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20171126141555.25930-3-steffan@karger.me> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15931.html Signed-off-by: Gert Doering <gert@greenie.muc.de> -- kind regards, Gert Doering ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 18c0ba5f..10d161ef 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -262,9 +262,6 @@ tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags) { ASSERT(NULL != ctx); - /* default certificate verification flags */ - int flags = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT; - /* process SSL options */ long sslopt = SSL_OP_SINGLE_DH_USE | SSL_OP_NO_TICKET; #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE @@ -282,17 +279,18 @@ tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags) SSL_CTX_set_default_passwd_cb(ctx->ctx, pem_password_callback); /* Require peer certificate verification */ + int verify_flags = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT; #if P2MP_SERVER if (ssl_flags & SSLF_CLIENT_CERT_NOT_REQUIRED) { - flags = 0; + verify_flags = 0; } else if (ssl_flags & SSLF_CLIENT_CERT_OPTIONAL) { - flags = SSL_VERIFY_PEER; + verify_flags = SSL_VERIFY_PEER; } #endif - SSL_CTX_set_verify(ctx->ctx, flags, verify_callback); + SSL_CTX_set_verify(ctx->ctx, verify_flags, verify_callback); SSL_CTX_set_info_callback(ctx->ctx, info_callback); }
Minor cleanup of this function now that we are allowed to write C99: move (and rename) flags to the code where it's actually used to improve readability. (I originally did this as part of the tls-version-{min,max} patch for openssl 1.1, but that made the diff hard to read.) Signed-off-by: Steffan Karger <steffan@karger.me> --- src/openvpn/ssl_openssl.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-)