add VS_no_date_check

panda/src/downloader/httpClient.I

@@ -68,16 +68,14 @@ get_http_version() const {
 //       Access: Published
 //  Description: Specifies whether the client will insist on verifying
 //               the identity of the servers it connects to via SSL
-//               (that is, https).  If this is true (the default),
-//               connections will only be allowed to trusted servers.
+//               (that is, https).  
+//
+//               The parameter value is an enumerated type which
+//               indicates the level of security to which the client
+//               will insist upon.
 ////////////////////////////////////////////////////////////////////
 INLINE void HTTPClient::
-set_verify_ssl(bool verify_ssl) {
-  if (verify_ssl) {
-    SSL_CTX_set_verify(_ssl_ctx, SSL_VERIFY_PEER, NULL);
-  } else {
-    SSL_CTX_set_verify(_ssl_ctx, SSL_VERIFY_NONE, NULL);
-  }
+set_verify_ssl(HTTPClient::VerifySSL verify_ssl) {
   _verify_ssl = verify_ssl;
 }
 
@@ -88,7 +86,7 @@ set_verify_ssl(bool verify_ssl) {
 //               the identity of the servers it connects to via SSL
 //               (that is, https).  See set_verify_ssl().
 ////////////////////////////////////////////////////////////////////
-INLINE bool HTTPClient::
+INLINE HTTPClient::VerifySSL HTTPClient::
 get_verify_ssl() const {
   return _verify_ssl;
 }

panda/src/downloader/httpClient.cxx

@@ -52,7 +52,7 @@ X509_STORE *HTTPClient::_x509_store = NULL;
 HTTPClient::
 HTTPClient() {
   _http_version = HV_11;
-  _verify_ssl = verify_ssl;
+  _verify_ssl = verify_ssl ? VS_normal : VS_no_verify;
   make_ctx();
 }
 
@@ -66,7 +66,7 @@ HTTPClient(const HTTPClient &copy) {
   // We can initialize these to default values because the operator =
   // function will copy them in a second.
   _http_version = HV_11;
-  _verify_ssl = verify_ssl;
+  _verify_ssl = verify_ssl ? VS_normal : VS_no_verify;
   make_ctx();
 
   (*this) = copy;
@@ -81,7 +81,7 @@ void HTTPClient::
 operator = (const HTTPClient &copy) {
   _proxy = copy._proxy;
   _http_version = copy._http_version;
-  set_verify_ssl(copy._verify_ssl);
+  _verify_ssl = copy._verify_ssl;
   clear_expected_servers();
 
   ExpectedServers::const_iterator ei;
@@ -352,13 +352,6 @@ make_ctx() {
   }
 #endif
 
-  // Insist on verifying servers if we are configured to.
-  if (_verify_ssl) {
-    SSL_CTX_set_verify(_ssl_ctx, SSL_VERIFY_PEER, NULL);
-  } else {
-    SSL_CTX_set_verify(_ssl_ctx, SSL_VERIFY_NONE, NULL);
-  }
-
   // Get the configured set of expected servers.
   {
     // Load in any default certificates listed in the Configrc file.
@@ -664,11 +657,11 @@ establish_https_proxy(const URLSpec &url) {
         << ": " << doc->get_status_code() << " "
         << doc->get_status_string() << "\n";
       
-      if (!get_verify_ssl()) {
+      if (get_verify_ssl() == VS_no_verify) {
         // If the proxy refused to open a raw connection for us, see
         // if it will handle the https communication itself.  For
         // other error codes, just return error.  (We can only
-        // reliably do this if verify_ssl is not true, since we're not
+        // reliably do this if verify_ssl is minimal, since we're not
         // sure whether to trust the proxy to do the verification for
         // us.)
         if ((doc->get_status_code() / 100) == 4) {
@@ -719,25 +712,45 @@ make_https_connection(BIO *bio, const URLSpec &url) const {
 #ifdef REPORT_SSL_ERRORS
     ERR_print_errors_fp(stderr);
 #endif
-    BIO_free_all(bio);
+    BIO_free_all(sbio);
     return NULL;
   }
 
   long verify_result = SSL_get_verify_result(ssl);
-  if (verify_result != X509_V_OK) {
-    downloader_cat.warning()
+  if (verify_result == X509_V_ERR_CERT_HAS_EXPIRED) {
+    downloader_cat.info()
+      << "Expired certificate from " << url.get_server() << ":"
+      << url.get_port() << "\n";
+    if (get_verify_ssl() == VS_normal) {
+      BIO_free_all(sbio);
+      return NULL;
+    }
+
+  } else if (verify_result == X509_V_ERR_CERT_NOT_YET_VALID) {
+    downloader_cat.info()
+      << "Premature certificate from " << url.get_server() << ":"
+      << url.get_port() << "\n";
+    if (get_verify_ssl() == VS_normal) {
+      BIO_free_all(sbio);
+      return NULL;
+    }
+
+  } else if (verify_result != X509_V_OK) {
+    downloader_cat.info()
       << "Unable to verify identity of " << url.get_server() << ":" 
       << url.get_port() << ", verify error code " << verify_result << "\n";
+    if (get_verify_ssl() != VS_no_verify) {
+      BIO_free_all(sbio);
+      return NULL;
+    }
   }
 
   X509 *cert = SSL_get_peer_certificate(ssl);
   if (cert == (X509 *)NULL) {
     downloader_cat.info()
       << "No certificate was presented by server.\n";
-
-    if (!_expected_servers.empty()) {
-      downloader_cat.info()
-        << "Not allowing connection since no certificates could be matched.\n";
+    if (get_verify_ssl() != VS_no_verify ||
+        !_expected_servers.empty()) {
       BIO_free_all(sbio);
       return NULL;
     }
@@ -752,13 +765,15 @@ make_https_connection(BIO *bio, const URLSpec &url) const {
 
     X509_NAME *subject = X509_get_subject_name(cert);
 
-    string org_name = get_x509_name_component(subject, NID_organizationName);
-    string org_unit_name = get_x509_name_component(subject, NID_organizationalUnitName);
-    string common_name = get_x509_name_component(subject, NID_commonName);
-
-    downloader_cat.info()
-      << "Server is " << common_name << " from " << org_unit_name
-      << " / " << org_name << "\n";
+    if (downloader_cat.is_debug()) {
+      string org_name = get_x509_name_component(subject, NID_organizationName);
+      string org_unit_name = get_x509_name_component(subject, NID_organizationalUnitName);
+      string common_name = get_x509_name_component(subject, NID_commonName);
+      
+      downloader_cat.debug()
+        << "Server is " << common_name << " from " << org_unit_name
+        << " / " << org_name << "\n";
+    }
 
     if (!verify_server(subject)) {
       downloader_cat.info()

panda/src/downloader/httpClient.h

@@ -76,8 +76,14 @@ PUBLISHED:
 
   bool load_certificates(const Filename &filename);
 
-  INLINE void set_verify_ssl(bool verify_ssl);
-  INLINE bool get_verify_ssl() const;
+  enum VerifySSL {
+    VS_no_verify,     // Don't care who we talk to
+    VS_no_date_check, // Must identify certs, but old, expired certs are OK
+    VS_normal         // Identify certs and also check expiration dates.
+  };
+
+  INLINE void set_verify_ssl(VerifySSL verify_ssl);
+  INLINE VerifySSL get_verify_ssl() const;
 
   bool add_expected_server(const string &server_attributes);
   void clear_expected_servers();
@@ -113,7 +119,7 @@ private:
 
   URLSpec _proxy;
   HTTPVersion _http_version;
-  bool _verify_ssl;
+  VerifySSL _verify_ssl;
 
   typedef pmap<string, string> Usernames;
   Usernames _usernames;

panda/src/downloader/httpDocument.cxx

@@ -77,7 +77,9 @@ send_request(const string &method, const URLSpec &url, const string &body) {
   // Let's call this before we call make_header(), so we'll get the
   // right HTTP version and proxy information etc.
   set_url(url);
-  prepare_for_next();
+  if (!prepare_for_next()) {
+    return false;
+  }
 
   string header;
   make_header(header, method, url, body);