Drop SSL authentication mode NONE and use DENY as default

Drop the mode NONE, since NO, DENY, WARN and ALLOW should cover all
cases.
Use DENY as default as its the most secure one, and users might expect
applications to be secure by default.  Failures are reported in the logs
and can then be exempted by choosing a different option.

Author: cgzones

src/netlog/netlog-dtls.c

@@ -118,7 +118,7 @@ int dtls_connect(DTLSManager *m, SocketAddress *address) {
         bio = NULL;
 
         /* Certification verification  */
-        if (m->auth_mode != OPEN_SSL_CERTIFICATE_AUTH_MODE_NONE && m->auth_mode != OPEN_SSL_CERTIFICATE_AUTH_MODE_INVALID) {
+        if (m->auth_mode != OPEN_SSL_CERTIFICATE_AUTH_MODE_NONE) {
                 log_debug("DTLS: enable certificate verification");
 
                 SSL_set_ex_data(ssl, EX_DATA_TLSMANAGER, m);

src/netlog/netlog-manager.c

@@ -634,7 +634,7 @@ int manager_new(const char *state_file, const char *cursor, Manager **ret) {
                 .state_file = strdup(state_file),
                 .protocol = SYSLOG_TRANSMISSION_PROTOCOL_UDP,
                 .log_format = SYSLOG_TRANSMISSION_LOG_FORMAT_RFC_5424,
-                .auth_mode = OPEN_SSL_CERTIFICATE_AUTH_MODE_INVALID,
+                .auth_mode = OPEN_SSL_CERTIFICATE_AUTH_MODE_DENY,
                 .connection_retry_usec = DEFAULT_CONNECTION_RETRY_USEC,
                 .ratelimit = (const RateLimit) {
                         RATELIMIT_INTERVAL_USEC,

src/netlog/netlog-tls.c

@@ -117,8 +117,8 @@ int tls_connect(TLSManager *m, SocketAddress *address) {
                                        "TLS: Failed to SSL_set_fd: %s",
                                        ERR_error_string(ERR_get_error(), NULL));
         /* Certification verification  */
-        if (m->auth_mode != OPEN_SSL_CERTIFICATE_AUTH_MODE_NONE && m->auth_mode != OPEN_SSL_CERTIFICATE_AUTH_MODE_INVALID) {
-                log_debug("TLS: enable certificate verification");
+        if (m->auth_mode != OPEN_SSL_CERTIFICATE_AUTH_MODE_NONE) {
+                log_debug("TLS: enable certificate verification with mode %s", certificate_auth_mode_to_string(m->auth_mode));
 
                 SSL_set_ex_data(ssl, EX_DATA_TLSMANAGER, m);
                 SSL_set_ex_data(ssl, EX_DATA_PRETTYADDRESS, pretty);

src/netlog/netlog-tls.h

@@ -13,7 +13,6 @@ typedef enum OpenSSLCertificateAuthMode {
         OPEN_SSL_CERTIFICATE_AUTH_MODE_DENY     = 1 << 2,
         OPEN_SSL_CERTIFICATE_AUTH_MODE_WARN     = 1 << 3,
         OPEN_SSL_CERTIFICATE_AUTH_MODE_MAX      = 1 << 4,
-        OPEN_SSL_CERTIFICATE_AUTH_MODE_INVALID  = -1,
 } OpenSSLCertificateAuthMode;
 
 typedef struct TLSManager TLSManager;