Attachment #39664 for bug #64185




\&    level 3 - verify peer with locally installed certificate
\&    default - no verify
.Ve
.IP "\fBpurpose\fR = type" 4
.IX Item "purpose = type"
check the peer certificate for this purpose
.Sp
.Vb 4
\&    ssl_server
\&    ssl_client
\&    ns_ssl_server
\&    smime_sign
\&    smime_encrypt
\&    crl_sign
\&    any
\&    default - OpenSSL default
.Ve
.Sh "SERVICE-LEVEL \s-1OPTIONS\s0"
.IX Subsection "SERVICE-LEVEL OPTIONS"
Each configuration section begins with service name in square brackets.




    level 3 - verify peer with locally installed certificate
    default - no verify</PRE>
<P></P></DL>
<DT><STRONG><A NAME="item_purpose_%3D_type"><STRONG>purpose</STRONG> = type</A></STRONG><BR>
<DD>
check the peer certificate for this purpose
<PRE>
    ssl_server
    ssl_client
    ns_ssl_server
    smime_sign
    smime_encrypt
    crl_sign
    any
    default - OpenSSL default</PRE>
<P></P></DL>
<P>
<H2><A NAME="servicelevel options">SERVICE-LEVEL OPTIONS</A></H2>
<P>Each configuration section begins with service name in square brackets.

Lines 234-239 Link Here

(-)stunnel-4.05/src/common.h (+1 lines)
234	#include <openssl/err.h>	234	#include <openssl/err.h>
235	#include <openssl/crypto.h> /* for CRYPTO_* and SSLeay_version */	235	#include <openssl/crypto.h> /* for CRYPTO_* and SSLeay_version */
236	#include <openssl/rand.h>	236	#include <openssl/rand.h>
		237	#include <openssl/x509v3.h> /* for X509_PURPOSE_* */
237	#if SSLEAY_VERSION_NUMBER >= 0x00907000L	238	#if SSLEAY_VERSION_NUMBER >= 0x00907000L
238	#include <openssl/engine.h>	239	#include <openssl/engine.h>
239	#endif	240	#endif




        break;
    }

    /* certificate purpose */
    switch(cmd) {
    case CMD_INIT:
        options.verify_purpose=0;
        break;
    case CMD_EXEC:
        if(strcasecmp(opt, "purpose"))
            break;
        options.verify_purpose=0;
        if (strcasecmp(arg, "ssl_client") == 0)
            options.verify_purpose=X509_PURPOSE_SSL_CLIENT;
        else if (strcasecmp(arg, "ssl_server") == 0)
            options.verify_purpose=X509_PURPOSE_SSL_SERVER;
        else if (strcasecmp(arg, "ns_ssl_server") == 0)
            options.verify_purpose=X509_PURPOSE_NS_SSL_SERVER;
        else if (strcasecmp(arg, "smime_sign") == 0)
            options.verify_purpose=X509_PURPOSE_SMIME_SIGN;
        else if (strcasecmp(arg, "smime_encrypt") == 0)
            options.verify_purpose=X509_PURPOSE_SMIME_ENCRYPT;
        else if (strcasecmp(arg, "crl_sign") == 0)
            options.verify_purpose=X509_PURPOSE_CRL_SIGN;
        else if (strcasecmp(arg, "any") == 0)
            options.verify_purpose=X509_PURPOSE_ANY;
        else
            return "Unknown purpose";
        return NULL; /* OK */
    case CMD_DEFAULT:
        log_raw("%-15s = OpenSSL default", "purpose");
        break;
    case CMD_HELP:
        log_raw("%-15s = check the peer certificate for this purpose", "purpose");
        log_raw("%18sssl_client, ssl_server, ns_ssl_server, smime_sign,", "");
        log_raw("%18ssmime_encrypt, crl_sign, any", "");
        break;
    }

    if(cmd==CMD_EXEC)
        return option_not_found;
    return NULL; /* OK */

Lines 107-112 Link Here

(-)stunnel-4.05/src/prototypes.h (+1 lines)
107	long session_timeout;	107	long session_timeout;
108	int verify_level;	108	int verify_level;
109	int verify_use_only_my;	109	int verify_use_only_my;
		110	int verify_purpose;
110	long ssl_options;	111	long ssl_options;
111		112
112	/* some global data for stunnel.c */	113	/* some global data for stunnel.c */




        }
    }

    if(options.verify_purpose) {
        if (!SSL_CTX_set_purpose(ctx, options.verify_purpose)) {
            log(LOG_ERR, "Error setting verify purpose to %d",
                options.verify_purpose);
            sslerror("SSL_CTX_set_purpose");
            exit(1);
        }
        log(LOG_DEBUG, "Set verify purpose to %d", options.verify_purpose);
    }

    SSL_CTX_set_verify(ctx, options.verify_level==SSL_VERIFY_NONE ?
        SSL_VERIFY_PEER : options.verify_level, verify_callback);


Return to bug 64185

Lines 296-301 Link Here

(-)stunnel-4.05/doc/stunnel.html (+13 lines)
296	level 3 - verify peer with locally installed certificate	296	level 3 - verify peer with locally installed certificate
297	default - no verify</PRE>	297	default - no verify</PRE>
298	<P></P></DL>	298	<P></P></DL>
		299	<DT><STRONG><A NAME="item_purpose_%3D_type"><STRONG>purpose</STRONG> = type</A></STRONG><BR>
		300	<DD>
		301	check the peer certificate for this purpose
		302	<PRE>
		303	ssl_server
		304	ssl_client
		305	ns_ssl_server
		306	smime_sign
		307	smime_encrypt
		308	crl_sign
		309	any
		310	default - OpenSSL default</PRE>
		311	<P></P></DL>
299	<P>	312	<P>
300	<H2><A NAME="servicelevel options">SERVICE-LEVEL OPTIONS</A></H2>	313	<H2><A NAME="servicelevel options">SERVICE-LEVEL OPTIONS</A></H2>
301	<P>Each configuration section begins with service name in square brackets.	314	<P>Each configuration section begins with service name in square brackets.

Lines 620-625 Link Here

(-)stunnel-4.05/src/options.c (+36 lines)
620	break;	620	break;
621	}	621	}
622		622
		623	/* certificate purpose */
		624	switch(cmd) {
		625	case CMD_INIT:
		626	options.verify_purpose=0;
		627	break;
		628	case CMD_EXEC:
		629	if(strcasecmp(opt, "purpose"))
		630	break;
		631	options.verify_purpose=0;
		632	if (strcasecmp(arg, "ssl_client") == 0)
		633	options.verify_purpose=X509_PURPOSE_SSL_CLIENT;
		634	else if (strcasecmp(arg, "ssl_server") == 0)
		635	options.verify_purpose=X509_PURPOSE_SSL_SERVER;
		636	else if (strcasecmp(arg, "ns_ssl_server") == 0)
		637	options.verify_purpose=X509_PURPOSE_NS_SSL_SERVER;
		638	else if (strcasecmp(arg, "smime_sign") == 0)
		639	options.verify_purpose=X509_PURPOSE_SMIME_SIGN;
		640	else if (strcasecmp(arg, "smime_encrypt") == 0)
		641	options.verify_purpose=X509_PURPOSE_SMIME_ENCRYPT;
		642	else if (strcasecmp(arg, "crl_sign") == 0)
		643	options.verify_purpose=X509_PURPOSE_CRL_SIGN;
		644	else if (strcasecmp(arg, "any") == 0)
		645	options.verify_purpose=X509_PURPOSE_ANY;
		646	else
		647	return "Unknown purpose";
		648	return NULL; /* OK */
		649	case CMD_DEFAULT:
		650	log_raw("%-15s = OpenSSL default", "purpose");
		651	break;
		652	case CMD_HELP:
		653	log_raw("%-15s = check the peer certificate for this purpose", "purpose");
		654	log_raw("%18sssl_client, ssl_server, ns_ssl_server, smime_sign,", "");
		655	log_raw("%18ssmime_encrypt, crl_sign, any", "");
		656	break;
		657	}
		658
623	if(cmd==CMD_EXEC)	659	if(cmd==CMD_EXEC)
624	return option_not_found;	660	return option_not_found;
625	return NULL; /* OK */	661	return NULL; /* OK */

Lines 457-462 Link Here

(-)stunnel-4.05/src/ssl.c (+10 lines)
457	}	457	}
458	}	458	}
459		459
		460	if(options.verify_purpose) {
		461	if (!SSL_CTX_set_purpose(ctx, options.verify_purpose)) {
		462	log(LOG_ERR, "Error setting verify purpose to %d",
		463	options.verify_purpose);
		464	sslerror("SSL_CTX_set_purpose");
		465	exit(1);
		466	}
		467	log(LOG_DEBUG, "Set verify purpose to %d", options.verify_purpose);
		468	}
		469
460	SSL_CTX_set_verify(ctx, options.verify_level==SSL_VERIFY_NONE ?	470	SSL_CTX_set_verify(ctx, options.verify_level==SSL_VERIFY_NONE ?
461	SSL_VERIFY_PEER : options.verify_level, verify_callback);	471	SSL_VERIFY_PEER : options.verify_level, verify_callback);
462		472

Lines 382-387 Link Here

(-)stunnel-4.05/doc/stunnel.8 (+14 lines)
382	\& level 3 - verify peer with locally installed certificate	382	\& level 3 - verify peer with locally installed certificate
383	\& default - no verify	383	\& default - no verify
384	.Ve	384	.Ve
		385	.IP "\fBpurpose\fR = type" 4
		386	.IX Item "purpose = type"
		387	check the peer certificate for this purpose
		388	.Sp
		389	.Vb 4
		390	\& ssl_server
		391	\& ssl_client
		392	\& ns_ssl_server
		393	\& smime_sign
		394	\& smime_encrypt
		395	\& crl_sign
		396	\& any
		397	\& default - OpenSSL default
		398	.Ve
385	.Sh "SERVICE-LEVEL \s-1OPTIONS\s0"	399	.Sh "SERVICE-LEVEL \s-1OPTIONS\s0"
386	.IX Subsection "SERVICE-LEVEL OPTIONS"	400	.IX Subsection "SERVICE-LEVEL OPTIONS"
387	Each configuration section begins with service name in square brackets.	401	Each configuration section begins with service name in square brackets.