--- links-2.15/https.c 2017-11-21 20:23:53.000000000 +0100 +++ links-2.15/https.c.new 2018-04-30 11:59:14.311345880 +0200 @@ -29,6 +29,8 @@ #define LINKS_CRT_FILE links.crt #endif +#define VERIFY_DEPTH 10 + #ifdef HAVE_BUILTIN_SSL_CERTIFICATES #include "certs.inc" #define N_SSL_CONTEXTS 2 @@ -98,6 +100,36 @@ #endif +static int verify_cert(int code, X509_STORE_CTX *context) +{ + int error, depth; + + error = X509_STORE_CTX_get_error(context); + depth = X509_STORE_CTX_get_error_depth(context); + + if (depth > VERIFY_DEPTH) { + error = X509_V_ERR_CERT_CHAIN_TOO_LONG; + code = 0; + } + + if (!code) { + /* Judge self signed certificates as acceptable. */ + if (error == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN || + error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) { + code = 1; + } else { + fprintf(stderr, "Verification failure: %s\n", + X509_verify_cert_error_string(error)); + if (depth > VERIFY_DEPTH) { + fprintf(stderr, "Excessive depth %d, set depth %d.\n", + depth, VERIFY_DEPTH); + } + } + } + + return code; +} /* verify_cert */ + #if defined(HAVE_SSL_CERTIFICATES) && (defined(DOS) || defined(OS2) || defined(WIN) || defined(OPENVMS)) static int ssl_set_private_paths(SSL_CTX *ctx) { @@ -299,9 +331,11 @@ #ifndef SSL_OP_NO_COMPRESSION #define SSL_OP_NO_COMPRESSION 0 #endif - SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_COMPRESSION); + SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_ALL | SSL_OP_NO_COMPRESSION); #ifdef SSL_MODE_ENABLE_PARTIAL_WRITE - SSL_CTX_set_mode(ctx, SSL_MODE_ENABLE_PARTIAL_WRITE); + SSL_CTX_set_mode(ctx, SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_AUTO_RETRY); +#else + SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY); #endif #ifdef SSL_CTX_set_min_proto_version #if defined(SSL3_VERSION) @@ -317,6 +351,7 @@ if (!idx) { if (ssl_set_private_paths(ctx)) SSL_CTX_set_default_verify_paths(ctx); + SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, verify_cert); } else { #ifdef HAVE_BUILTIN_SSL_CERTIFICATES ssl_load_private_certificates(ctx);