mirrors/ngircd
1
0
Fork 0
mirror of https://github.com/osmarks/ngircd.git synced 2025-07-05 03:12:50 +00:00
Code Issues Releases Wiki Activity

S2S-TLS/OpenSSL: Always setup host name verification

Browse Source 
Setup host name verification even when the "SSLVerify" option is
disabled, because even then the peer can present a valid certificate and
validation would always(!) fail because of the missing host name
verification setup.
This commit is contained in:
Alexander Barton 2024-01-01 19:58:35 +01:00
parent 8f8bef9fae
commit 84b019b11f
1 changed files with 15 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
src/ngircd/conn-ssl.c
View File

@ -748,13 +748,12 @@ ConnSSL_PrepareConnect(CONNECTION * c, CONF_SERVER * s)
if (!ret) if (!ret)
return false; return false;
Conn_OPTION_ADD(c, CONN_SSL_CONNECT); Conn_OPTION_ADD(c, CONN_SSL_CONNECT);
#ifdef HAVE_LIBSSL #ifdef HAVE_LIBSSL
assert(c->ssl_state.ssl); assert(c->ssl_state.ssl);
if (s->SSLVerify) {
X509_VERIFY_PARAM *param = NULL; X509_VERIFY_PARAM *param = SSL_get0_param(c->ssl_state.ssl);
param = SSL_get0_param(c->ssl_state.ssl); X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
X509_VERIFY_PARAM_set_hostflags(param,
X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
int err = X509_VERIFY_PARAM_set1_host(param, s->host, 0); int err = X509_VERIFY_PARAM_set1_host(param, s->host, 0);
if (err != 1) { if (err != 1) {
Log(LOG_ERR, Log(LOG_ERR,
@ -762,11 +761,14 @@ ConnSSL_PrepareConnect(CONNECTION * c, CONF_SERVER * s)
s->host, err); s->host, err);
return false; return false;
} }
if (s->SSLVerify)
SSL_set_verify(c->ssl_state.ssl, SSL_VERIFY_PEER, SSL_set_verify(c->ssl_state.ssl, SSL_VERIFY_PEER,
Verify_openssl); Verify_openssl);
} else else
SSL_set_verify(c->ssl_state.ssl, SSL_VERIFY_NONE, NULL); SSL_set_verify(c->ssl_state.ssl, SSL_VERIFY_NONE, NULL);
#endif #endif
return true; return true;
} }