From 3c74c3f3ec64f3a152aef07e0fec2863d72a988f Mon Sep 17 00:00:00 2001 From: Matthias Andree Date: Sun, 27 Jan 2019 13:37:20 +0100 Subject: Enable OpenSSL >= 1.0.2 native name verification. --- socket.c | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) (limited to 'socket.c') diff --git a/socket.c b/socket.c index bcf06491..7550519b 100644 --- a/socket.c +++ b/socket.c @@ -636,6 +636,12 @@ static int SSL_verify_callback( int ok_return, X509_STORE_CTX *ctx, int strict ) subj = X509_get_subject_name(x509_cert); issuer = X509_get_issuer_name(x509_cert); + if (outlevel >= O_DEBUG) { + if (SSLverbose) + report(stdout, GT_("SSL verify callback depth %d: preverify_ok == %d, err = %d, %s\n"), + depth, ok_return, err, X509_verify_cert_error_string(err)); + } + if (outlevel >= O_VERBOSE) { if (depth == 0 && SSLverbose) report(stdout, GT_("Server certificate:\n")); @@ -1179,6 +1185,22 @@ int SSLOpen(int sock, char *mycert, char *mykey, const char *myproto, int certck } } + /* OpenSSL >= 1.0.2: set host name for verification */ + /* XXX FIXME: do we need to change the function's signature and pass the akalist to + * permit the other hostnames through SSL? */ + /* https://wiki.openssl.org/index.php/Hostname_validation */ + { + int r; + X509_VERIFY_PARAM *param = SSL_get0_param(_ssl_context[sock]); + + X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); + if (0 == (r = X509_VERIFY_PARAM_set1_host(param, servercname, strlen(servercname)))) { + report(stderr, GT_("Warning: X509_VERIFY_PARAM_set1_host(%p, \"%s\") failed (code %#x), trying to continue.\n"), + (void *)_ssl_context[sock], servercname, r); + ERR_print_errors_fp(stderr); + } + } + if( mycert || mykey ) { /* Ok... He has a certificate file defined, so lets declare it. If -- cgit v1.2.3