You are viewing a plain text version of this content. The canonical link for it is here.
Posted to c-commits@axis.apache.org by bi...@apache.org on 2019/09/01 19:46:00 UTC
svn commit: r1866245 -
/axis/axis2/c/core/trunk/src/core/transport/http/sender/ssl/ssl_utils.c
Author: billblough
Date: Sun Sep 1 19:46:00 2019
New Revision: 1866245
URL: http://svn.apache.org/viewvc?rev=1866245&view=rev
Log:
Add SSL host validation check to X509_V_OK code path
Based on the man page for SSL_get_verify_result, a good certificate
verification can result in X509_V_OK. In this case, the previously
added peer host name validation would not happen. So add it to this
case, too.
Modified:
axis/axis2/c/core/trunk/src/core/transport/http/sender/ssl/ssl_utils.c
Modified: axis/axis2/c/core/trunk/src/core/transport/http/sender/ssl/ssl_utils.c
URL: http://svn.apache.org/viewvc/axis/axis2/c/core/trunk/src/core/transport/http/sender/ssl/ssl_utils.c?rev=1866245&r1=1866244&r2=1866245&view=diff
==============================================================================
--- axis/axis2/c/core/trunk/src/core/transport/http/sender/ssl/ssl_utils.c (original)
+++ axis/axis2/c/core/trunk/src/core/transport/http/sender/ssl/ssl_utils.c Sun Sep 1 19:46:00 2019
@@ -274,6 +274,31 @@ axis2_ssl_utils_initialize_ssl(
sslerror);
return NULL;
}
+ else {
+ /* X509_V_OK means verification succeeded or no peer cert was presented.
+ * We need to check which is the case, so let's see if there's a
+ * peer cert.
+ */
+ X509 *peer_cert = NULL;
+ peer_cert = SSL_get_peer_certificate(ssl);
+ if (peer_cert) {
+ /* if the caller passed a hostname, verify it against the cert */
+ if (host) {
+ if (X509_check_host(peer_cert, host, strlen(host), 0, NULL) == 1) {
+ AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI,
+ "[ssl client] peer name matches certificate CN/SAN");
+ } else {
+ AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI,
+ "[ssl client] peer name does not match certificate CN/SAN");
+ X509_free(peer_cert);
+ return NULL;
+ }
+ }
+
+ X509_free(peer_cert);
+ }
+
+ }
return ssl;
}