diff --git a/lib/transport/tls-session.c b/lib/transport/tls-session.c index 04386166f5..1cb24ee079 100644 --- a/lib/transport/tls-session.c +++ b/lib/transport/tls-session.c @@ -123,10 +123,13 @@ tls_session_verify_fingerprint(X509_STORE_CTX *ctx) if (!cert) return match; + hash = g_string_sized_new(EVP_MAX_MD_SIZE * 3); if (tls_get_x509_digest(cert, hash)) { + msg_debug("Validating certificate against trusted-keys()", + evt_tag_str("x509-digest", hash->str)); do { if (strcmp((const gchar *)(current_fingerprint->data), hash->str) == 0) @@ -195,11 +198,30 @@ tls_session_verify(TLSSession *self, int ok, X509_STORE_CTX *ctx) int ctx_error_depth = X509_STORE_CTX_get_error_depth(ctx); /* accept certificate if its fingerprint matches, again regardless whether x509 certificate validation was successful */ - if (ok && ctx_error_depth == 0 && !tls_session_verify_fingerprint(ctx)) + + if (ctx_error_depth == 0 && self->ctx->trusted_fingerprint_list) { - msg_notice("Certificate valid, but fingerprint constraints were not met, rejecting", - tls_context_format_location_tag(self->ctx)); - return 0; + /* trusted-keys() is present */ + if (ok) + { + /* this is an extra constraint */ + if (!tls_session_verify_fingerprint(ctx)) + { + msg_notice("Certificate valid, but fingerprint constraints were not met, rejecting", + tls_context_format_location_tag(self->ctx)); + return 0; + } + } + else + { + /* this is a trust anchor that forces the key to be valid */ + if (tls_session_verify_fingerprint(ctx)) + { + msg_notice("Certificate accepted due to being present on trusted-keys()", + tls_context_format_location_tag(self->ctx)); + return 1; + } + } } X509 *current_cert = X509_STORE_CTX_get_current_cert(ctx);