S2S-TLS/OpenSSL: Always setup host name verification

Setup host name verification even when the "SSLVerify" option is disabled, because even then the peer can present a valid certificate and validation would always(!) fail because of the missing host name verification setup.
2024-12-13 02:10:27 +00:00 · 2024-01-01 19:58:35 +01:00 · 2024-01-01 19:58:35 +01:00 · 84b019b11f
commit 84b019b11f
parent 8f8bef9fae
1 changed files with 15 additions and 13 deletions
--- a/src/ngircd/conn-ssl.c
+++ b/src/ngircd/conn-ssl.c
@ -748,13 +748,12 @@ ConnSSL_PrepareConnect(CONNECTION * c, CONF_SERVER * s)
 	if (!ret)
 		return false;
 	Conn_OPTION_ADD(c, CONN_SSL_CONNECT);
+
 #ifdef HAVE_LIBSSL
 	assert(c->ssl_state.ssl);
-	if (s->SSLVerify) {
-		X509_VERIFY_PARAM *param = NULL;
-		param = SSL_get0_param(c->ssl_state.ssl);
-		X509_VERIFY_PARAM_set_hostflags(param,
-						X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
+
+	X509_VERIFY_PARAM *param = SSL_get0_param(c->ssl_state.ssl);
+	X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
 	int err = X509_VERIFY_PARAM_set1_host(param, s->host, 0);
 	if (err != 1) {
 		Log(LOG_ERR,
@ -762,11 +761,14 @@ ConnSSL_PrepareConnect(CONNECTION * c, CONF_SERVER * s)
 		    s->host, err);
 		return false;
 	}
+
+	if (s->SSLVerify)
 		SSL_set_verify(c->ssl_state.ssl, SSL_VERIFY_PEER,
 			       Verify_openssl);
-	} else
+	else
 		SSL_set_verify(c->ssl_state.ssl, SSL_VERIFY_NONE, NULL);
 #endif
+
 	return true;
 }