SSL certificate checking#190
Open
adamdickmeiss wants to merge 7 commits into
Open
Conversation
New flag CS_FLAGS_CHECK_CERT for comstack which controls whether rcvconnect phase of client should check certificate. Is disabled by default to main compatibility. yaz-ztest/GFS allows fullchain and private PEM to specified separately; a comma separates the two file names.
There was a problem hiding this comment.
Pull request overview
This PR introduces optional TLS/SSL certificate verification across YAZ networking utilities by threading a new “check cert” flag from CLI/API layers into the COMSTACK/TLS (GnuTLS) implementation, plus related documentation updates.
Changes:
- Add
-CCLI option foryaz-urlandyaz-clientto enable TLS certificate verification. - Expose
yaz_url_set_check_certand propagate the check-cert intent via a newCS_FLAGS_CHECK_CERTCOMSTACK flag. - Implement GnuTLS peer certificate verification and allow specifying separate certificate/private-key files via
cert,keyparsing.
Reviewed changes
Copilot reviewed 10 out of 10 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| util/yaz-url.c | Adds -C option to enable certificate checking for yaz-url requests. |
| src/yaz/url.h | Declares new yaz_url_set_check_cert API. |
| src/yaz/comstack.h | Introduces CS_FLAGS_CHECK_CERT flag. |
| src/url.c | Stores check-cert setting on yaz_url_t and passes it into cs_create_host2. |
| src/tcpip.c | Adds system trust loading, TLS peer verification, and separate key file handling for servers. |
| src/comstack.c | Removes an extra blank line. |
| doc/yaz-url-man.xml | Documents -C option for yaz-url. |
| doc/yaz-client-man.xml | Documents -C option for yaz-client. |
| doc/gfs-options.xml | Documents comma-separated cert/key behavior for server SSL certificate option. |
| client/client.c | Adds -C option and propagates CS_FLAGS_CHECK_CERT into connection creation. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
789
to
792
| tcpip_create_cred(h); | ||
| gnutls_certificate_set_x509_system_trust(sp->cred_ptr->xcred); | ||
| gnutls_init(&sp->session, GNUTLS_CLIENT); | ||
| sp->use_bye = 1; /* only say goodbye in client */ |
| @@ -18,6 +18,7 @@ | |||
| static void usage(void) | |||
| { | |||
| printf("yaz-icu [options] url ..\n"); | |||
Comment on lines
+753
to
+754
| size_t sz = 80 + strlen(sp->connect_host) + (sp->connect_auth ? strlen(sp->connect_auth) * 2 : 0); | ||
| char *connect_buf = (char *)xmalloc(sz); |
Comment on lines
1431
to
1434
| xfree(sp->host_port); | ||
| xfree(sp->connect_request_buf); | ||
| xfree(sp->connect_host); | ||
| xfree(sp->connect_response_buf); | ||
| xfree(sp); |
Comment on lines
795
to
798
| tcpip_create_cred(h); | ||
| gnutls_certificate_set_x509_system_trust(sp->cred_ptr->xcred); | ||
| gnutls_init(&sp->session, GNUTLS_CLIENT); | ||
| sp->use_bye = 1; /* only say goodbye in client */ |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.