aboutsummaryrefslogtreecommitdiffstats
path: root/socket.c
diff options
context:
space:
mode:
authorMatthias Andree <matthias.andree@gmx.de>2019-01-27 13:37:20 +0100
committerMatthias Andree <matthias.andree@gmx.de>2019-01-27 13:37:20 +0100
commit3c74c3f3ec64f3a152aef07e0fec2863d72a988f (patch)
tree8b6e1b64535a0eac85506f0a375e30f756609073 /socket.c
parente275a3bb3f964f8eb271a2aad1016c16668f83e5 (diff)
downloadfetchmail-3c74c3f3ec64f3a152aef07e0fec2863d72a988f.tar.gz
fetchmail-3c74c3f3ec64f3a152aef07e0fec2863d72a988f.tar.bz2
fetchmail-3c74c3f3ec64f3a152aef07e0fec2863d72a988f.zip
Enable OpenSSL >= 1.0.2 native name verification.
Diffstat (limited to 'socket.c')
-rw-r--r--socket.c22
1 files changed, 22 insertions, 0 deletions
diff --git a/socket.c b/socket.c
index bcf06491..7550519b 100644
--- a/socket.c
+++ b/socket.c
@@ -636,6 +636,12 @@ static int SSL_verify_callback( int ok_return, X509_STORE_CTX *ctx, int strict )
subj = X509_get_subject_name(x509_cert);
issuer = X509_get_issuer_name(x509_cert);
+ if (outlevel >= O_DEBUG) {
+ if (SSLverbose)
+ report(stdout, GT_("SSL verify callback depth %d: preverify_ok == %d, err = %d, %s\n"),
+ depth, ok_return, err, X509_verify_cert_error_string(err));
+ }
+
if (outlevel >= O_VERBOSE) {
if (depth == 0 && SSLverbose)
report(stdout, GT_("Server certificate:\n"));
@@ -1179,6 +1185,22 @@ int SSLOpen(int sock, char *mycert, char *mykey, const char *myproto, int certck
}
}
+ /* OpenSSL >= 1.0.2: set host name for verification */
+ /* XXX FIXME: do we need to change the function's signature and pass the akalist to
+ * permit the other hostnames through SSL? */
+ /* https://wiki.openssl.org/index.php/Hostname_validation */
+ {
+ int r;
+ X509_VERIFY_PARAM *param = SSL_get0_param(_ssl_context[sock]);
+
+ X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
+ if (0 == (r = X509_VERIFY_PARAM_set1_host(param, servercname, strlen(servercname)))) {
+ report(stderr, GT_("Warning: X509_VERIFY_PARAM_set1_host(%p, \"%s\") failed (code %#x), trying to continue.\n"),
+ (void *)_ssl_context[sock], servercname, r);
+ ERR_print_errors_fp(stderr);
+ }
+ }
+
if( mycert || mykey ) {
/* Ok... He has a certificate file defined, so lets declare it. If