rb_dlink_node *ptr;
int error = -1;
const char *encr;
+ bool name_matched = false;
+ bool host_matched = false;
+ bool certfp_failed = false;
s_assert(NULL != client_p);
if(client_p == NULL)
if(!match(tmp_p->name, name))
continue;
- error = -3;
+ name_matched = true;
/* XXX: Fix me for IPv6 */
/* XXX sockhost is the IPv4 ip as a string */
if(match(tmp_p->host, client_p->host) ||
match(tmp_p->host, client_p->sockhost))
{
- error = -2;
+ host_matched = true;
if(tmp_p->passwd)
{
if(tmp_p->certfp)
{
- if(!client_p->certfp || rb_strcasecmp(tmp_p->certfp, client_p->certfp) != 0)
+ if(!client_p->certfp || rb_strcasecmp(tmp_p->certfp, client_p->certfp) != 0) {
+ certfp_failed = true;
continue;
+ }
}
server_p = tmp_p;
}
if(server_p == NULL)
+ {
+ /* return the most specific error */
+ if(certfp_failed)
+ error = -6;
+ else if(host_matched)
+ error = -2;
+ else if(name_matched)
+ error = -3;
+
return error;
+ }
if(ServerConfSSL(server_p) && client_p->localClient->ssl_ctl == NULL)
{
exit_client(client_p, client_p, client_p, "Access denied, requires SSL/TLS but is plaintext");
return;
+ case -6:
+ sendto_realops_snomask(SNO_GENERAL, L_ALL,
+ "Connection from servername %s has invalid certificate fingerprint %s",
+ name, client_p->certfp);
+ ilog(L_SERVER, "Access denied, invalid certificate fingerprint %s from %s",
+ client_p->certfp, log_client_name(client_p, SHOW_IP));
+
+ exit_client(client_p, client_p, client_p, "Invalid fingerprint.");
+ return;
default:
sendto_realops_snomask(SNO_GENERAL, L_ALL,
"Connection from servername %s rejected, unknown error %d",