Use SSL callback to verify bound IP for multihomed machines

git-svn-id: https://mumble.svn.sourceforge.net/svnroot/mumble/trunk@900 05730e5d-ab1b-0410-a4ac-84af385074fa

1 files changed, 5 insertions, 3 deletions

diff --git a/src/murmur/Cert.cpp b/src/murmur/Cert.cpp
index 675793b88..2ccfb56a0 100644
--- a/src/murmur/Cert.cpp
+++ b/src/murmur/Cert.cpp
@@ -48,7 +48,7 @@ int add_ext(X509 * crt, int nid, char *value) {
 void Server::initializeCert() {

 	QByteArray crt, key;

 

-	if (QSslSocket::supportsSsl()) {

+	if (! QSslSocket::supportsSsl()) {

 		qFatal("Qt without SSL Support");

 	}

 

@@ -59,6 +59,9 @@ void Server::initializeCert() {
 		qscCert = QSslCertificate(crt);

 		if (qscCert.isNull()) {

 			log("Failed to parse certificate.");

+		} else if (qscCert.issuerInfo(QSslCertificate::CommonName) == QLatin1String("Murmur Autogenerated Certificate")) {

+			log("Old autogenerated certificate is unusable for registration, invalidating it");

+			qscCert = QSslCertificate();

 		}

 	}

 

@@ -116,12 +119,11 @@ void Server::initializeCert() {
 

 			X509_NAME *name=X509_get_subject_name(x509);

 

-			X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC, reinterpret_cast<unsigned char *>(const_cast<char *>("Murmur Autogenerated Certificate")), -1, -1, 0);

+			X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC, reinterpret_cast<unsigned char *>(const_cast<char *>("Murmur Autogenerated Certificate v2")), -1, -1, 0);

 			X509_set_issuer_name(x509, name);

 			add_ext(x509, NID_basic_constraints, "critical,CA:FALSE");

 			add_ext(x509, NID_ext_key_usage, "serverAuth,clientAuth");

 			add_ext(x509, NID_subject_key_identifier, "hash");

-			add_ext(x509, NID_netscape_cert_type, "server");

 			add_ext(x509, NID_netscape_comment, "Generated from murmur");

 

 			X509_sign(x509, pkey, EVP_md5());