Add network-specific config for cert validation

Added the following two network-specific configuration options that can be changed via controlpanel or webadmin: * TrustAllCerts: Will trust ALL certificates when enabled, effectively disabling TLS certificate validation. Default value: false * TrustPKI: Whether or not to trust PKI-valid certificates. Setting this to false will make znc trust only trusted certificates added by the user. Default value: true With default values, behavior is exactly the same as before. This is based on the work of Roelf Wichertjes. See YourBNC/znc@5c747598. See znc/znc#866.
2026-03-28 17:42:41 +01:00 · 2016-05-20 01:17:26 +02:00
parent c5db7793d3
commit 409ed4b6bc
8 changed files with 69 additions and 2 deletions
--- a/src/Socket.cpp
+++ b/src/Socket.cpp
@@ -123,13 +123,17 @@ void CZNCSock::SSLHandShakeFinished() {
        Close();
        return;
    }
+    if (GetTrustAllCerts()) {
+        DEBUG(GetSockName() + ": Verification disabled, trusting all.");
+        return;
+    }
    CString sHostVerifyError;
    if (!ZNC_SSLVerifyHost(m_sHostToVerifySSL, pCert, sHostVerifyError)) {
        m_ssCertVerificationErrors.insert(sHostVerifyError);
    }
    X509_free(pCert);
-    if (m_ssCertVerificationErrors.empty()) {
-        DEBUG(GetSockName() + ": Good cert");
+    if (GetTrustPKI() && m_ssCertVerificationErrors.empty()) {
+        DEBUG(GetSockName() + ": Good cert (PKI valid)");
        return;
    }
    CString sFP = GetSSLPeerFingerprint();