55 lines
1.6 KiB
XML
55 lines
1.6 KiB
XML
<?xml version='1.0' encoding='utf-8' ?>
|
|
<!DOCTYPE programlisting PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
|
|
]>
|
|
<!-- Automatically generated file. Do not edit. -->
|
|
<programlisting language="C">
|
|
// Create the connection object.
|
|
SSL *ssl = SSL_new(ctx);
|
|
if (ssl == NULL) {
|
|
ERR_print_errors(bio_err);
|
|
exit(1);
|
|
}
|
|
SSL_set_fd(ssl, sockfd);
|
|
|
|
// Enable the ServerNameIndication extension
|
|
if (!SSL_set_tlsext_host_name(ssl, host)) {
|
|
ERR_print_errors(bio_err);
|
|
exit(1);
|
|
}
|
|
|
|
// Perform the TLS handshake with the server.
|
|
ret = SSL_connect(ssl);
|
|
if (ret != 1) {
|
|
// Error status can be 0 or negative.
|
|
ssl_print_error_and_exit(ssl, "SSL_connect", ret);
|
|
}
|
|
|
|
// Obtain the server certificate.
|
|
X509 *peercert = SSL_get_peer_certificate(ssl);
|
|
if (peercert == NULL) {
|
|
fprintf(stderr, "peer certificate missing");
|
|
exit(1);
|
|
}
|
|
|
|
// Check the certificate verification result. Allow an explicit
|
|
// certificate validation override in case verification fails.
|
|
int verifystatus = SSL_get_verify_result(ssl);
|
|
if (verifystatus != X509_V_OK && !certificate_validity_override(peercert)) {
|
|
fprintf(stderr, "SSL_connect: verify result: %s\n",
|
|
X509_verify_cert_error_string(verifystatus));
|
|
exit(1);
|
|
}
|
|
|
|
// Check if the server certificate matches the host name used to
|
|
// establish the connection.
|
|
// FIXME: Currently needs OpenSSL 1.1.
|
|
if (X509_check_host(peercert, (const unsigned char *)host, strlen(host),
|
|
0) != 1
|
|
&& !certificate_host_name_override(peercert, host)) {
|
|
fprintf(stderr, "SSL certificate does not match host name\n");
|
|
exit(1);
|
|
}
|
|
|
|
X509_free(peercert);
|
|
|
|
</programlisting>
|