@@ -247,21 +247,32 @@ proc alpnSelectProtoCB(
247247
248248proc verifyCertificate (
249249 ssl: ptr SSL , out_alert: ptr uint8
250- ): enum_ssl_verify_result_t {.cdecl .} =
251- let sslCtx = SSL_get_SSL_CTX (ssl)
252-
253- let quicCtx = cast [QuicContext ](SSL_CTX_get_ex_data (sslCtx, SSL_CTX_ID ))
254- if quicCtx.isNil:
255- raiseAssert " could not obtain context"
256-
257- let derCertificates = getFullCertChain (ssl)
258-
259- let serverName = SSL_get_servername (ssl, TLSEXT_NAMETYPE_host_name)
260- doAssert quicCtx.tlsConfig.certVerifier.isSome, " no custom validator set"
261- if quicCtx.tlsConfig.certVerifier.get ().verify ($ serverName, derCertificates):
262- return ssl_verify_ok
263- else :
264- out_alert[] = SSL_AD_CERTIFICATE_UNKNOWN
250+ ): enum_ssl_verify_result_t {.cdecl , raises : [].} =
251+ try :
252+ let sslCtx = SSL_get_SSL_CTX (ssl)
253+ if sslCtx.isNil:
254+ if not out_alert.isNil:
255+ out_alert[] = SSL_AD_INTERNAL_ERROR
256+ return ssl_verify_invalid
257+
258+ let quicCtx = cast [QuicContext ](SSL_CTX_get_ex_data (sslCtx, SSL_CTX_ID ))
259+ if quicCtx.isNil or quicCtx.tlsConfig.certVerifier.isNone:
260+ if not out_alert.isNil:
261+ out_alert[] = SSL_AD_INTERNAL_ERROR
262+ return ssl_verify_invalid
263+
264+ let derCertificates = getFullCertChain (ssl)
265+ let serverName = SSL_get_servername (ssl, TLSEXT_NAMETYPE_host_name)
266+ if quicCtx.tlsConfig.certVerifier.get ().verify ($ serverName, derCertificates):
267+ return ssl_verify_ok
268+
269+ if not out_alert.isNil:
270+ out_alert[] = SSL_AD_CERTIFICATE_UNKNOWN
271+ return ssl_verify_invalid
272+ except Exception as exc:
273+ warn " certificate verifier raised" , errorMsg = exc.msg
274+ if not out_alert.isNil:
275+ out_alert[] = SSL_AD_CERTIFICATE_UNKNOWN
265276 return ssl_verify_invalid
266277
267278proc setupSSLContext * (quicCtx: QuicContext ) =
0 commit comments