Attachment #61852 for bug #96956




\&    level 3 - verify peer with locally installed certificate
\&    default - no verify
.Ve
.IP "\fBpurpose\fR = type" 4
.IX Item "purpose = type"
check the peer certificate for this purpose
.Sp
.Vb 4
\&    ssl_server
\&    ssl_client
\&    ns_ssl_server
\&    smime_sign
\&    smime_encrypt
\&    crl_sign
\&    any
\&    default - OpenSSL default
.Ve
.Sh "SERVICE-LEVEL \s-1OPTIONS\s0"
.IX Subsection "SERVICE-LEVEL OPTIONS"
Each configuration section begins with service name in square brackets.




    level 3 - verify peer with locally installed certificate
    default - no verify</pre>
</dd>
<dt><strong><a name="item_purpose__3d_type"><strong>purpose</strong> = type</a></strong><br />
</dt>
<dd>
check the peer certificate for this purpose
</dd>
<dd>
<pre>
    ssl_server
    ssl_client
    ns_ssl_server
    smime_sign
    smime_encrypt
    crl_sign
    any
    default - OpenSSL default</pre>
</dd>
<p></p></dl>
<p>
</p>

Lines 249-254 Link Here

(-)stunnel-4.10/src/common.h (+1 lines)
249	#include <openssl/err.h>	249	#include <openssl/err.h>
250	#include <openssl/crypto.h> /* for CRYPTO_* and SSLeay_version */	250	#include <openssl/crypto.h> /* for CRYPTO_* and SSLeay_version */
251	#include <openssl/rand.h>	251	#include <openssl/rand.h>
		252	#include <openssl/x509v3.h> /* for X509_PURPOSE_* */
252	#if (SSLEAY_VERSION_NUMBER >= 0x00907000L) && defined(HAVE_OSSL_ENGINE_H)	253	#if (SSLEAY_VERSION_NUMBER >= 0x00907000L) && defined(HAVE_OSSL_ENGINE_H)
253	#include <openssl/engine.h>	254	#include <openssl/engine.h>
254	#endif	255	#endif




        break;
    }

    /* certificate purpose */
    switch(cmd) {
    case CMD_INIT:
        options.verify_purpose=0;
        break;
    case CMD_EXEC:
        if(strcasecmp(opt, "purpose"))
            break;
        options.verify_purpose=0;
        if (strcasecmp(arg, "ssl_client") == 0)
            options.verify_purpose=X509_PURPOSE_SSL_CLIENT;
        else if (strcasecmp(arg, "ssl_server") == 0)
            options.verify_purpose=X509_PURPOSE_SSL_SERVER;
        else if (strcasecmp(arg, "ns_ssl_server") == 0)
            options.verify_purpose=X509_PURPOSE_NS_SSL_SERVER;
        else if (strcasecmp(arg, "smime_sign") == 0)
            options.verify_purpose=X509_PURPOSE_SMIME_SIGN;
        else if (strcasecmp(arg, "smime_encrypt") == 0)
            options.verify_purpose=X509_PURPOSE_SMIME_ENCRYPT;
        else if (strcasecmp(arg, "crl_sign") == 0)
            options.verify_purpose=X509_PURPOSE_CRL_SIGN;
        else if (strcasecmp(arg, "any") == 0)
            options.verify_purpose=X509_PURPOSE_ANY;
        else
            return "Unknown purpose";
        return NULL; /* OK */
    case CMD_DEFAULT:
        log_raw("%-15s = OpenSSL default", "purpose");
        break;
    case CMD_HELP:
        log_raw("%-15s = check the peer certificate for this purpose", "purpose");
        log_raw("%18sssl_client, ssl_server, ns_ssl_server, smime_sign,", "");
        log_raw("%18ssmime_encrypt, crl_sign, any", "");
        break;
    }

    if(cmd==CMD_EXEC)
        return option_not_found;
    return NULL; /* OK */

Lines 112-117 Link Here

(-)stunnel-4.10/src/prototypes.h (+1 lines)
112	long session_timeout;	112	long session_timeout;
113	int verify_level;	113	int verify_level;
114	int verify_use_only_my;	114	int verify_use_only_my;
		115	int verify_purpose;
115	long ssl_options;	116	long ssl_options;
116		117
117	/* some global data for stunnel.c */	118	/* some global data for stunnel.c */




        }
    }

    if(options.verify_purpose) {
        if (!SSL_CTX_set_purpose(ctx, options.verify_purpose)) {
            s_log(LOG_ERR, "Error setting verify purpose to %d",
                options.verify_purpose);
            sslerror("SSL_CTX_set_purpose");
            exit(1);
        }
        s_log(LOG_DEBUG, "Set verify purpose to %d", options.verify_purpose);
    }

    SSL_CTX_set_verify(ctx, options.verify_level==SSL_VERIFY_NONE ?
        SSL_VERIFY_PEER : options.verify_level, verify_callback);


Return to bug 96956

Lines 406-411 Link Here

(-)stunnel-4.10/doc/stunnel.8 (+14 lines)
406	\& level 3 - verify peer with locally installed certificate	406	\& level 3 - verify peer with locally installed certificate
407	\& default - no verify	407	\& default - no verify
408	.Ve	408	.Ve
		409	.IP "\fBpurpose\fR = type" 4
		410	.IX Item "purpose = type"
		411	check the peer certificate for this purpose
		412	.Sp
		413	.Vb 4
		414	\& ssl_server
		415	\& ssl_client
		416	\& ns_ssl_server
		417	\& smime_sign
		418	\& smime_encrypt
		419	\& crl_sign
		420	\& any
		421	\& default - OpenSSL default
		422	.Ve
409	.Sh "SERVICE-LEVEL \s-1OPTIONS\s0"	423	.Sh "SERVICE-LEVEL \s-1OPTIONS\s0"
410	.IX Subsection "SERVICE-LEVEL OPTIONS"	424	.IX Subsection "SERVICE-LEVEL OPTIONS"
411	Each configuration section begins with service name in square brackets.	425	Each configuration section begins with service name in square brackets.

Lines 480-485 Link Here

(-)stunnel-4.10/doc/stunnel.html (+16 lines)
480	level 3 - verify peer with locally installed certificate	480	level 3 - verify peer with locally installed certificate
481	default - no verify</pre>	481	default - no verify</pre>
482	</dd>	482	</dd>
		483	<dt><strong><a name="item_purpose__3d_type"><strong>purpose</strong> = type</a></strong><br />
		484	</dt>
		485	<dd>
		486	check the peer certificate for this purpose
		487	</dd>
		488	<dd>
		489	<pre>
		490	ssl_server
		491	ssl_client
		492	ns_ssl_server
		493	smime_sign
		494	smime_encrypt
		495	crl_sign
		496	any
		497	default - OpenSSL default</pre>
		498	</dd>
483	<p></p></dl>	499	<p></p></dl>
484	<p>	500	<p>
485	</p>	501	</p>

Lines 664-669 Link Here

(-)stunnel-4.10/src/options.c (+36 lines)
664	break;	664	break;
665	}	665	}
666		666
		667	/* certificate purpose */
		668	switch(cmd) {
		669	case CMD_INIT:
		670	options.verify_purpose=0;
		671	break;
		672	case CMD_EXEC:
		673	if(strcasecmp(opt, "purpose"))
		674	break;
		675	options.verify_purpose=0;
		676	if (strcasecmp(arg, "ssl_client") == 0)
		677	options.verify_purpose=X509_PURPOSE_SSL_CLIENT;
		678	else if (strcasecmp(arg, "ssl_server") == 0)
		679	options.verify_purpose=X509_PURPOSE_SSL_SERVER;
		680	else if (strcasecmp(arg, "ns_ssl_server") == 0)
		681	options.verify_purpose=X509_PURPOSE_NS_SSL_SERVER;
		682	else if (strcasecmp(arg, "smime_sign") == 0)
		683	options.verify_purpose=X509_PURPOSE_SMIME_SIGN;
		684	else if (strcasecmp(arg, "smime_encrypt") == 0)
		685	options.verify_purpose=X509_PURPOSE_SMIME_ENCRYPT;
		686	else if (strcasecmp(arg, "crl_sign") == 0)
		687	options.verify_purpose=X509_PURPOSE_CRL_SIGN;
		688	else if (strcasecmp(arg, "any") == 0)
		689	options.verify_purpose=X509_PURPOSE_ANY;
		690	else
		691	return "Unknown purpose";
		692	return NULL; /* OK */
		693	case CMD_DEFAULT:
		694	log_raw("%-15s = OpenSSL default", "purpose");
		695	break;
		696	case CMD_HELP:
		697	log_raw("%-15s = check the peer certificate for this purpose", "purpose");
		698	log_raw("%18sssl_client, ssl_server, ns_ssl_server, smime_sign,", "");
		699	log_raw("%18ssmime_encrypt, crl_sign, any", "");
		700	break;
		701	}
		702
667	if(cmd==CMD_EXEC)	703	if(cmd==CMD_EXEC)
668	return option_not_found;	704	return option_not_found;
669	return NULL; /* OK */	705	return NULL; /* OK */

Lines 529-534 Link Here

(-)stunnel-4.10/src/ssl.c (+10 lines)
529	}	529	}
530	}	530	}
531		531
		532	if(options.verify_purpose) {
		533	if (!SSL_CTX_set_purpose(ctx, options.verify_purpose)) {
		534	s_log(LOG_ERR, "Error setting verify purpose to %d",
		535	options.verify_purpose);
		536	sslerror("SSL_CTX_set_purpose");
		537	exit(1);
		538	}
		539	s_log(LOG_DEBUG, "Set verify purpose to %d", options.verify_purpose);
		540	}
		541
532	SSL_CTX_set_verify(ctx, options.verify_level==SSL_VERIFY_NONE ?	542	SSL_CTX_set_verify(ctx, options.verify_level==SSL_VERIFY_NONE ?
533	SSL_VERIFY_PEER : options.verify_level, verify_callback);	543	SSL_VERIFY_PEER : options.verify_level, verify_callback);
534		544