[vlc-devel] [PATCH 1/2] tls: Add a way to ignore CA check.

Hugo Beauzée-Luyssen hugo at beauzee.fr
Thu Jan 18 11:25:32 CET 2018 

---
 include/vlc_tls.h     | 13 +++++++++++++
 modules/misc/gnutls.c |  7 +++++++
 src/network/tls.c     |  2 ++
 3 files changed, 22 insertions(+)

diff --git a/include/vlc_tls.h b/include/vlc_tls.h
index 92562b5e11..fa2afd17e1 100644
--- a/include/vlc_tls.h
+++ b/include/vlc_tls.h
@@ -76,6 +76,19 @@ typedef struct vlc_tls_creds
     int  (*handshake)(struct vlc_tls_creds *, vlc_tls_t *session,
                       const char *hostname, const char *service,
                       char ** /*restrict*/ alp);
+
+    /**
+     * @brief ignore_ca_check allows a user to bypass the certificate authority
+     *                        verification and accept self signed certificates.
+     *
+     * This will accept:
+     * - Self signed certificate
+     * - Certificates signed by known bad CA
+     * - Certificates signed by unknown CA
+     * This will still reject every other invalid certificates.
+     * Use with caution and at your own risk.
+     */
+    bool ignore_ca_check;
 } vlc_tls_creds_t;
 
 /**
diff --git a/modules/misc/gnutls.c b/modules/misc/gnutls.c
index 1cca9c14a7..f12a7c5f1d 100644
--- a/modules/misc/gnutls.c
+++ b/modules/misc/gnutls.c
@@ -445,6 +445,13 @@ static int gnutls_ClientHandshake(vlc_tls_creds_t *creds, vlc_tls_t *tls,
         gnutls_free (desc.data);
     }
 
+    if (status == (GNUTLS_CERT_SIGNER_NOT_FOUND | GNUTLS_CERT_INVALID) &&
+            creds->ignore_ca_check)
+    {
+        msg_Info( creds, "Accepting self-signed/untrusted CA certificate." );
+        return 0;
+    }
+
     status &= ~GNUTLS_CERT_INVALID; /* always set / catch-all error */
     status &= ~GNUTLS_CERT_SIGNER_NOT_FOUND; /* unknown CA */
     status &= ~GNUTLS_CERT_UNEXPECTED_OWNER; /* mismatched hostname */
diff --git a/src/network/tls.c b/src/network/tls.c
index 56e04d6ce7..aea5012387 100644
--- a/src/network/tls.c
+++ b/src/network/tls.c
@@ -95,6 +95,7 @@ vlc_tls_ServerCreate (vlc_object_t *obj, const char *cert_path,
     if (key_path == NULL)
         key_path = cert_path;
 
+    srv->ignore_ca_check = false;
     srv->module = vlc_module_load (srv, "tls server", NULL, false,
                                    tls_server_load, srv, cert_path, key_path);
     if (srv->module == NULL)
@@ -114,6 +115,7 @@ vlc_tls_creds_t *vlc_tls_ClientCreate (vlc_object_t *obj)
     if (unlikely(crd == NULL))
         return NULL;
 
+    crd->ignore_ca_check = false;
     crd->module = vlc_module_load (crd, "tls client", NULL, false,
                                    tls_client_load, crd);
     if (crd->module == NULL)
-- 
2.11.0

More information about the vlc-devel mailing list