mirrors/ngircd
1
0
Fork 0
mirror of https://github.com/osmarks/ngircd.git synced 2024-10-27 20:36:18 +00:00
Code Issues Releases Wiki Activity

S2S-TLS/OpenSSL: Always setup host name verification

Browse Source 
Setup host name verification even when the "SSLVerify" option is
disabled, because even then the peer can present a valid certificate and
validation would always(!) fail because of the missing host name
verification setup.
This commit is contained in:
Alexander Barton 2024-01-01 19:58:35 +01:00
parent 8f8bef9fae
commit 84b019b11f
1 changed files with 15 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
src/ngircd/conn-ssl.c
View File

@ -748,25 +748,27 @@ ConnSSL_PrepareConnect(CONNECTION * c, CONF_SERVER * s)
if (!ret)
return false;
Conn_OPTION_ADD(c, CONN_SSL_CONNECT);
#ifdef HAVE_LIBSSL
assert(c->ssl_state.ssl);
if (s->SSLVerify) {
X509_VERIFY_PARAM *param = NULL;
param = SSL_get0_param(c->ssl_state.ssl);
X509_VERIFY_PARAM_set_hostflags(param,
X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
int err = X509_VERIFY_PARAM_set1_host(param, s->host, 0);
if (err != 1) {
Log(LOG_ERR,
"Cannot set up hostname verification for '%s': %u",
s->host, err);
return false;
}
X509_VERIFY_PARAM *param = SSL_get0_param(c->ssl_state.ssl);
X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
int err = X509_VERIFY_PARAM_set1_host(param, s->host, 0);
if (err != 1) {
Log(LOG_ERR,
"Cannot set up hostname verification for '%s': %u",
s->host, err);
return false;
}
if (s->SSLVerify)
SSL_set_verify(c->ssl_state.ssl, SSL_VERIFY_PEER,
Verify_openssl);
} else
else
SSL_set_verify(c->ssl_state.ssl, SSL_VERIFY_NONE, NULL);
#endif
return true;
}