--- loncom/lonssl.pm 2018/12/03 03:40:39 1.20 +++ loncom/lonssl.pm 2018/12/10 17:34:22 1.21 @@ -1,5 +1,5 @@ # -# $Id: lonssl.pm,v 1.20 2018/12/03 03:40:39 raeburn Exp $ +# $Id: lonssl.pm,v 1.21 2018/12/10 17:34:22 raeburn Exp $ # # Copyright Michigan State University Board of Trustees # @@ -112,11 +112,12 @@ sub SetFdBlocking { # Socket IO::Socket::INET Original ordinary socket. # CACert string Full path name to the certificate # authority certificate file. -# MyCert string Full path name to the certificate +# MyCert string Full path name to the certificate # issued to this host. -# KeyFile string Full pathname to the host's private +# KeyFile string Full pathname to the host's private # key file for the certificate. -# peer string lonHostID of remote LON-CAPA server +# peer string lonid of remote LON-CAPA server +# peerdef string default lonHostID of remote server # CRLFile Full path name to the certificate # revocation list file for the cluster # to which server belongs (optional) @@ -134,6 +135,7 @@ sub PromoteClientSocket { $MyCert, $KeyFile, $peer, + $peerdef, $CRLFile) = @_; Debug("Client promotion using key: $KeyFile, Cert: $MyCert, CA: $CACert, CRL: $CRLFile, Remote Host: $peer\n"); @@ -158,12 +160,17 @@ sub PromoteClientSocket { # Set SSL_verify_mode to Net::SSLeay::VERIFY_PEER() instead of to # SSL_VERIFY_PEER for compatibility with IO::Socket::SSL rev. 1.01 # used by CentOS/RHEL/Scientific Linux 5). - + + my $verify_cn = $peerdef; + if ($verify_cn eq '') { + $verify_cn = $peer; + } + my %sslargs = (SSL_use_cert => 1, SSL_key_file => $KeyFile, SSL_cert_file => $MyCert, SSL_ca_file => $CACert, - SSL_verifycn_name => $peer, + SSL_verifycn_name => $verify_cn, SSL_verify_mode => Net::SSLeay::VERIFY_PEER()); if (($CRLFile ne '') && (-e $CRLFile)) { $sslargs{SSL_check_crl} = 1;