[vlc-devel] [PATCH 1/2] tls: Add a way to ignore CA check.

Rémi Denis-Courmont remi at remlab.net
Thu Jan 18 13:47:20 CET 2018 

Le 18 janvier 2018 12:25:32 GMT+02:00, "Hugo Beauzée-Luyssen" <hugo at beauzee.fr> a écrit :
>---
> include/vlc_tls.h     | 13 +++++++++++++
> modules/misc/gnutls.c |  7 +++++++
> src/network/tls.c     |  2 ++
> 3 files changed, 22 insertions(+)
>
>diff --git a/include/vlc_tls.h b/include/vlc_tls.h
>index 92562b5e11..fa2afd17e1 100644
>--- a/include/vlc_tls.h
>+++ b/include/vlc_tls.h
>@@ -76,6 +76,19 @@ typedef struct vlc_tls_creds
>     int  (*handshake)(struct vlc_tls_creds *, vlc_tls_t *session,
>                       const char *hostname, const char *service,
>                       char ** /*restrict*/ alp);
>+
>+    /**
>+     * @brief ignore_ca_check allows a user to bypass the certificate
>authority
>+     *                        verification and accept self signed
>certificates.
>+     *
>+     * This will accept:
>+     * - Self signed certificate
>+     * - Certificates signed by known bad CA
>+     * - Certificates signed by unknown CA
>+     * This will still reject every other invalid certificates.
>+     * Use with caution and at your own risk.
>+     */
>+    bool ignore_ca_check;
> } vlc_tls_creds_t;
> 
> /**
>diff --git a/modules/misc/gnutls.c b/modules/misc/gnutls.c
>index 1cca9c14a7..f12a7c5f1d 100644
>--- a/modules/misc/gnutls.c
>+++ b/modules/misc/gnutls.c
>@@ -445,6 +445,13 @@ static int gnutls_ClientHandshake(vlc_tls_creds_t
>*creds, vlc_tls_t *tls,
>         gnutls_free (desc.data);
>     }
> 
>+    if (status == (GNUTLS_CERT_SIGNER_NOT_FOUND | GNUTLS_CERT_INVALID)
>&&
>+            creds->ignore_ca_check)
>+    {
>+        msg_Info( creds, "Accepting self-signed/untrusted CA
>certificate." );
>+        return 0;
>+    }
>+
>     status &= ~GNUTLS_CERT_INVALID; /* always set / catch-all error */
>     status &= ~GNUTLS_CERT_SIGNER_NOT_FOUND; /* unknown CA */
>     status &= ~GNUTLS_CERT_UNEXPECTED_OWNER; /* mismatched hostname */
>diff --git a/src/network/tls.c b/src/network/tls.c
>index 56e04d6ce7..aea5012387 100644
>--- a/src/network/tls.c
>+++ b/src/network/tls.c
>@@ -95,6 +95,7 @@ vlc_tls_ServerCreate (vlc_object_t *obj, const char
>*cert_path,
>     if (key_path == NULL)
>         key_path = cert_path;
> 
>+    srv->ignore_ca_check = false;
>     srv->module = vlc_module_load (srv, "tls server", NULL, false,
>                            tls_server_load, srv, cert_path, key_path);
>     if (srv->module == NULL)
>@@ -114,6 +115,7 @@ vlc_tls_creds_t *vlc_tls_ClientCreate (vlc_object_t
>*obj)
>     if (unlikely(crd == NULL))
>         return NULL;
> 
>+    crd->ignore_ca_check = false;
>     crd->module = vlc_module_load (crd, "tls client", NULL, false,
>                                    tls_client_load, crd);
>     if (crd->module == NULL)
>-- 
>2.11.0
>
>_______________________________________________
>vlc-devel mailing list
>To unsubscribe or modify your subscription options:
>https://mailman.videolan.org/listinfo/vlc-devel

Nack. This is completely counter-sensical.

If you want anonymous TLS, then use anonymous TLS, but that's quite useless anyway.
-- 
Remi Denis-Courmont

More information about the vlc-devel mailing list