SSL Error: Enable OpenSSL hostname verification
Since OpenSSL 1.0.2 there has been hostname verification support which cURL doesn't turn on for some reason. Turn it on so that we get better hostname verification handling. Signed-off-by: Daniel Silverstone <dsilvers@digital-scurf.org>
This commit is contained in:
parent
c903c881e6
commit
44f3846727
|
@ -39,6 +39,7 @@
|
|||
#include <time.h>
|
||||
#include <sys/stat.h>
|
||||
#include <openssl/ssl.h>
|
||||
#include <openssl/x509v3.h>
|
||||
|
||||
#include <libwapcaplet/libwapcaplet.h>
|
||||
#include <nsutils/time.h>
|
||||
|
@ -594,6 +595,9 @@ fetch_curl_report_certs_upstream(struct curl_fetch_info *f)
|
|||
case X509_V_ERR_CERT_REVOKED:
|
||||
ssl_certs[depth].err = SSL_CERT_ERR_REVOKED;
|
||||
break;
|
||||
case X509_V_ERR_HOSTNAME_MISMATCH:
|
||||
ssl_certs[depth].err = SSL_CERT_ERR_HOSTNAME_MISMATCH;
|
||||
break;
|
||||
default:
|
||||
ssl_certs[depth].err = SSL_CERT_ERR_UNKNOWN;
|
||||
break;
|
||||
|
@ -689,9 +693,20 @@ static int fetch_curl_cert_verify_callback(X509_STORE_CTX *x509_ctx, void *parm)
|
|||
{
|
||||
struct curl_fetch_info *f = (struct curl_fetch_info *) parm;
|
||||
int ok;
|
||||
X509_VERIFY_PARAM *vparam;
|
||||
|
||||
/* Configure the verification parameters to include hostname */
|
||||
vparam = X509_STORE_CTX_get0_param(x509_ctx);
|
||||
X509_VERIFY_PARAM_set_hostflags(vparam, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
|
||||
|
||||
ok = X509_VERIFY_PARAM_set1_host(vparam,
|
||||
lwc_string_data(f->host),
|
||||
lwc_string_length(f->host));
|
||||
|
||||
/* Store fetch struct in context for verify callback */
|
||||
ok = X509_STORE_CTX_set_app_data(x509_ctx, parm);
|
||||
if (ok) {
|
||||
ok = X509_STORE_CTX_set_app_data(x509_ctx, parm);
|
||||
}
|
||||
|
||||
/* verify the certificate chain using standard call */
|
||||
if (ok) {
|
||||
|
@ -1181,21 +1196,9 @@ static void fetch_curl_done(CURL *curl_handle, CURLcode result)
|
|||
;
|
||||
} else if (result == CURLE_SSL_PEER_CERTIFICATE ||
|
||||
result == CURLE_SSL_CACERT) {
|
||||
/*
|
||||
* curl in 7.63.0 (https://github.com/curl/curl/pull/3291)
|
||||
* unified *all* SSL errors into the single
|
||||
* CURLE_PEER_FAILED_VERIFICATION depricating
|
||||
* CURLE_SSL_PEER_CERTIFICATE and CURLE_SSL_CACERT
|
||||
*
|
||||
* This change complete removed the ability to
|
||||
* distinguish between certificate errors, host
|
||||
* verification errors or any other failure reason
|
||||
* using the curl result code.
|
||||
*
|
||||
* The result is when certificate error message is
|
||||
* sent there is currently no way of informing the
|
||||
* llcache about host verification faliures as the
|
||||
* certificate chain has no error codes set.
|
||||
/* Some kind of failure has occurred. If we don't know
|
||||
* what happened, we'll have reported unknown errors up
|
||||
* to the user already via the certificate chain error fields.
|
||||
*/
|
||||
cert = true;
|
||||
} else {
|
||||
|
|
|
@ -38,7 +38,7 @@ typedef enum {
|
|||
SSL_CERT_ERR_SELF_SIGNED, /**< This certificate (or the chain) is self signed */
|
||||
SSL_CERT_ERR_CHAIN_SELF_SIGNED, /**< This certificate chain is self signed */
|
||||
SSL_CERT_ERR_REVOKED, /**< This certificate has been revoked */
|
||||
SSL_CERT_ERR_COMMON_NAME, /**< This certificate host did not match teh server */
|
||||
SSL_CERT_ERR_HOSTNAME_MISMATCH, /**< This certificate host did not match the server */
|
||||
} ssl_cert_err;
|
||||
|
||||
/**
|
||||
|
|
|
@ -1076,7 +1076,7 @@ en.all.SSLCertErrTooOld:The certificate has expired.
|
|||
en.all.SSLCertErrSelfSigned:The certificate is self signed.
|
||||
en.all.SSLCertErrChainSelfSigned:The certificate chain is self signed.
|
||||
en.all.SSLCertErrRevoked:The certificate has been revoked by the issuer.
|
||||
en.all.SSLCertErrCommonName:The certificate is for a different host than the server
|
||||
en.all.SSLCertErrHostnameMismatch:The certificate is for a different host than the server
|
||||
|
||||
|
||||
# SSL certificate viewer
|
||||
|
|
|
@ -383,9 +383,9 @@ const char *messages_get_sslcode(ssl_cert_err code)
|
|||
/* This certificate has been revoked */
|
||||
return messages_get_ctx("SSLCertErrRevoked", messages_hash);
|
||||
|
||||
case SSL_CERT_ERR_COMMON_NAME:
|
||||
case SSL_CERT_ERR_HOSTNAME_MISMATCH:
|
||||
/* Common name is invalid */
|
||||
return messages_get_ctx("SSLCertErrCommonName", messages_hash);
|
||||
return messages_get_ctx("SSLCertErrHostnameMismatch", messages_hash);
|
||||
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in New Issue