gfwleak/tango-tfe
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

证书校验选项及校验失败动作自测通过。

Browse Source
This commit is contained in:
zhengchao
2019-05-24 11:26:41 +08:00
parent d553c0f5f6
commit 6b197e3347
2 changed files with 15 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
platform/src/ssl_stream.cpp
View File

@@ -1107,7 +1107,7 @@ static void ssl_server_connected_eventcb(struct bufferevent * bev, short events,
sslerr=ssl_stream_log_error(bev, CONN_DIR_UPSTREAM, ctx->mgr);
if(sslerr)
{
s_stream->up_parts.svc_status.has_protocol_errors=1;
s_upstream->svc_status.has_protocol_errors=1;
ssl_service_cache_write(mgr->svc_cache, s_stream->up_parts.client_hello, &(s_stream->up_parts.svc_status));
}
snprintf(error_str, sizeof(error_str), "connect to original server failed : sni=%s", sni);
@@ -1143,29 +1143,29 @@ static void ssl_server_connected_eventcb(struct bufferevent * bev, short events,
{
if(mgr->no_cert_verify)
{
s_stream->up_parts.is_server_cert_verify_passed=1;
s_upstream->is_server_cert_verify_passed=1;
}
else
{
s_stream->up_parts.is_server_cert_verify_passed = ssl_trusted_cert_storage_verify_conn(s_stream->mgr->trust_CA_store,
s_upstream->is_server_cert_verify_passed = ssl_trusted_cert_storage_verify_conn(s_stream->mgr->trust_CA_store,
s_stream->ssl, s_stream->up_parts.client_hello->sni, &(s_stream->up_parts.verify_param),
error_str, sizeof(error_str), &(s_stream->up_parts.verify_result));
s_stream->up_parts.svc_status.is_ct=s_stream->up_parts.verify_result.is_ct;
s_stream->up_parts.svc_status.is_ev=s_stream->up_parts.verify_result.is_ev;
ssl_service_cache_write(mgr->svc_cache, s_stream->up_parts.client_hello, &(s_stream->up_parts.svc_status));
s_upstream->svc_status.is_ct=s_upstream->verify_result.is_ct;
s_upstream->svc_status.is_ev=s_upstream->verify_result.is_ev;
ssl_service_cache_write(mgr->svc_cache, s_upstream->client_hello, &(s_upstream->svc_status));
TFE_LOG_DEBUG(mgr->logger, "SNI: %s hostmatch:%d, ct:%d, ev:%d",
s_upstream->client_hello->sni,
s_stream->up_parts.verify_result.is_hostmatched,
s_stream->up_parts.verify_result.is_ct,
s_stream->up_parts.verify_result.is_ev);
if((!s_stream->up_parts.is_server_cert_verify_passed || !s_stream->up_parts.verify_result.is_hostmatched) && s_stream->up_parts.block_fake_cert)
s_upstream->verify_result.is_hostmatched,
s_upstream->verify_result.is_ct,
s_upstream->verify_result.is_ev);
if((!s_upstream->is_server_cert_verify_passed || !s_upstream->verify_result.is_hostmatched) && s_upstream->block_fake_cert)
{
s_stream->up_parts.action=SSL_ACTION_SHUTDOWN;
}
}
if(s_stream->up_parts.is_server_cert_verify_passed)
if(s_upstream->is_server_cert_verify_passed)
{
if(!mgr->no_sesscache)
if(!mgr->no_sesscache && s_stream->up_parts.action==SSL_ACTION_INTERCEPT)
{
//ONLY verified session is cacheable.
//The reference count of the SSL_SESSION is not incremented, so no need to free.