Commit 7b3eb71e authored by Rémi Denis-Courmont's avatar Rémi Denis-Courmont

Always check the certificates chain - it does not make any sense, is...

Always check the certificates chain - it does not make any sense, is counter-intuitive and insecure to use x509 but not validate certs.
The whole security and point of TLS rely on this...
parent c7d79839
...@@ -72,11 +72,6 @@ static void CloseServer (vlc_object_t *); ...@@ -72,11 +72,6 @@ static void CloseServer (vlc_object_t *);
"This is the maximum number of resumed TLS sessions that " \ "This is the maximum number of resumed TLS sessions that " \
"the cache will hold." ) "the cache will hold." )
#define CHECK_CERT_TEXT N_("Check TLS/SSL server certificate validity")
#define CHECK_CERT_LONGTEXT N_( \
"This ensures that the server certificate is valid " \
"(i.e. signed by an approved Certification Authority)." )
vlc_module_begin(); vlc_module_begin();
set_shortname( "GnuTLS" ); set_shortname( "GnuTLS" );
set_description( _("GnuTLS transport layer security") ); set_description( _("GnuTLS transport layer security") );
...@@ -85,8 +80,7 @@ vlc_module_begin(); ...@@ -85,8 +80,7 @@ vlc_module_begin();
set_category( CAT_ADVANCED ); set_category( CAT_ADVANCED );
set_subcategory( SUBCAT_ADVANCED_MISC ); set_subcategory( SUBCAT_ADVANCED_MISC );
add_bool( "tls-check-cert", VLC_TRUE, NULL, CHECK_CERT_TEXT, add_obsolete_bool( "tls-check-cert" );
CHECK_CERT_LONGTEXT, VLC_FALSE );
add_obsolete_bool( "tls-check-hostname" ); add_obsolete_bool( "tls-check-hostname" );
add_submodule(); add_submodule();
...@@ -728,19 +722,15 @@ static int OpenClient (vlc_object_t *obj) ...@@ -728,19 +722,15 @@ static int OpenClient (vlc_object_t *obj)
sprintf (path, "%s/ssl", homedir); sprintf (path, "%s/ssl", homedir);
utf8_mkdir (path, 0755); utf8_mkdir (path, 0755);
if (var_CreateGetBool (obj, "tls-check-cert")) sprintf (path, "%s/ssl/certs", homedir);
{ gnutls_Addx509Directory (VLC_OBJECT (p_session),
sprintf (path, "%s/ssl/certs", homedir); p_sys->x509_cred, path, VLC_FALSE);
gnutls_Addx509Directory (VLC_OBJECT (p_session),
p_sys->x509_cred, path, VLC_FALSE); sprintf (path, "%s/ca-certificates.crt", datadir);
gnutls_Addx509File (VLC_OBJECT (p_session),
sprintf (path, "%s/ca-certificates.crt", datadir); p_sys->x509_cred, path, VLC_FALSE);
gnutls_Addx509File (VLC_OBJECT (p_session), p_session->pf_handshake = gnutls_HandshakeAndValidate;
p_sys->x509_cred, path, VLC_FALSE); /*p_session->pf_handshake = gnutls_ContinueHandshake;*/
p_session->pf_handshake = gnutls_HandshakeAndValidate;
}
else
p_session->pf_handshake = gnutls_ContinueHandshake;
sprintf (path, "%s/ssl/private", homedir); sprintf (path, "%s/ssl/private", homedir);
gnutls_Addx509Directory (VLC_OBJECT (p_session), p_sys->x509_cred, gnutls_Addx509Directory (VLC_OBJECT (p_session), p_sys->x509_cred,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment