We've seen a number of Cisco AnyConnect VPN servers which don't have the
SSL server purpose bit set in their certificate.
We have a workaround¹ but I've just received a complaint that this
workaround doesn't work correctly with older (<0.9.8k) versions of
OpenSSL.
Does the patch below make sense? It seems to work...
--- openconnect-2.22/ssl.c
+++ openconnect-2.22/ssl.c
@@ -474,6 +474,14 @@ void workaround_openssl_certchain_bug(struct
openconnect_info *vpninfo,
X509_STORE_CTX_cleanup(&ctx);
}
+static int ssl_app_verify_callback(X509_STORE_CTX *ctx, void *arg)
+{
+ /* We've seen certificates in the wild which don't have the
+ purpose fields filled in correctly */
+ X509_VERIFY_PARAM_set_purpose(ctx->param, X509_PURPOSE_ANY);
+ return X509_verify_cert(ctx);
+}
+
int openconnect_open_https(struct openconnect_info *vpninfo)
{
method_const SSL_METHOD *ssl3_method;
@@ -649,9 +657,13 @@ int openconnect_open_https(struct openconnect_info
*vpninfo)
}
}
- /* We've seen certificates in the wild which don't have the
- purpose fields filled in correctly */
- SSL_CTX_set_purpose(vpninfo->https_ctx, X509_PURPOSE_ANY);
+ /* We just want to do:
+ SSL_CTX_set_purpose(vpninfo->https_ctx, X509_PURPOSE_ANY);
+ ... but it doesn't work with OpenSSL < 0.9.8k because of
+ problems with inheritance (fixed in v1.1.4.6 of
+ crypto/ssl/x509_vpm.c) so we have to play silly buggers
+ instead. */
+ SSL_CTX_set_cert_verify_callback(vpninfo->https_ctx,
ssl_app_verify_callback, NULL);
SSL_CTX_set_default_verify_paths(vpninfo->https_ctx);
if (vpninfo->cafile)
--
dwmw2
¹ http://git.infradead.org/users/dwmw2/openconnect.git/blob/b98c7e15:/ssl.c#l652
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
