tls_wolfssl: ignore invalid CAs when setting ca_dir

This will align the behavior of opensips when using wolfssl or openssl. Credits to @benceszigeti for suggesting the solution. Closes #2955
OpenSIPS · Jan 20, 2023 · 77f5f5a · 77f5f5a
1 parent 9af1926
commit 77f5f5a
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 14 deletions.
diff --git a/modules/tls_mgm/doc/tls_mgm_admin.xml b/modules/tls_mgm/doc/tls_mgm_admin.xml
@@ -425,11 +425,6 @@ modparam("tls_mgm", "ca_list", "[dom]/mycerts/certs/ca_list.pem")
 			<emphasis>Hashed Directory Method</emphasis>. The domain part
 			represents the name of the TLS domain.
 			</para>
-			<para>
-			Note that when using the <emphasis>wolfSSL</emphasis> library, you might
-			get a warning message if some of the certificates in the directory are expired,
-			despite successfully loading the valid ones.
-			</para>
 			<para><emphasis>
 				Default value is "/etc/pki/CA/".
 			</emphasis></para>

diff --git a/modules/tls_wolfssl/wolfssl_config.c b/modules/tls_wolfssl/wolfssl_config.c
@@ -434,9 +434,10 @@ static int load_ca_dir(WOLFSSL_CTX * ctx, char *directory)
 {
 	int rc;
 
-	if ((rc = wolfSSL_CTX_load_verify_locations(ctx, 0, directory)) !=
+	if ((rc = wolfSSL_CTX_load_verify_locations_ex(ctx, 0, directory,
+		WOLFSSL_LOAD_FLAG_IGNORE_ERR)) !=
 		SSL_SUCCESS) {
-		LM_WARN("unable to load ca directory '%s' (ret=%d)\n", directory, rc);
+		LM_ERR("unable to load ca directory '%s' (ret=%d)\n", directory, rc);
 		return -1;
 	}
 
@@ -447,7 +448,6 @@ static int load_ca_dir(WOLFSSL_CTX * ctx, char *directory)
 int _wolfssl_init_tls_dom(struct tls_domain *d, int init_flags)
 {
 	int verify_mode = 0;
-	int rc = -1;
 	int ret = -1;
 
 	if (d->method_str.s && tls_get_method(&d->method_str, &d->method,
@@ -544,18 +544,15 @@ int _wolfssl_init_tls_dom(struct tls_domain *d, int init_flags)
 		goto end;
 
 	if (!(d->flags & DOM_FLAG_DB) || init_flags & TLS_DOM_CA_FILE_FL) {
-		if (d->ca.s && (rc = load_ca(d->ctx, d->ca.s)) < 0)
+		if (d->ca.s && load_ca(d->ctx, d->ca.s) < 0)
 			goto end;
 	} else {
-		if ((rc = load_ca_db(d->ctx, &d->ca)) < 0)
+		if (load_ca_db(d->ctx, &d->ca) < 0)
 			goto end;
 	}
 
-	if (d->ca_directory && load_ca_dir(d->ctx, d->ca_directory) < 0 &&
-		rc == -1) {
-		LM_ERR("No CA loaded\n");
+	if (d->ca_directory && load_ca_dir(d->ctx, d->ca_directory) < 0)
 		goto end;
-	}
 
 	ret = 0;
 end: