summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorJeremy Harris <jgh146exb@wizmail.org>2014-05-26 10:35:50 +0100
committerJeremy Harris <jgh146exb@wizmail.org>2014-05-26 10:35:50 +0100
commitd8e7834aeddc637bd49730444f4d257eb8267135 (patch)
tree082c76f5ef27c66bc75bce4b231d35e51aa94054 /src
parent533aaf9166d3e1cca6dac7e309914a88b25e4260 (diff)
Restrict certificate name checkin for wildcards.
On more recent OpenSSL library versions the builtin wildcard checking can take a restriction option that we want, to disallow the more complex possibilities of wildcarding.
Diffstat (limited to 'src')
-rw-r--r--src/src/tls-openssl.c16
1 files changed, 14 insertions, 2 deletions
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index bcca506e0..9609d6252 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -327,13 +327,25 @@ else
/* client, wanting hostname check */
# if OPENSSL_VERSION_NUMBER >= 0x010100000L || OPENSSL_VERSION_NUMBER >= 0x010002000L
+# ifndef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
+# define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0
+# endif
{
int sep = 0;
uschar * list = verify_cert_hostnames;
uschar * name;
- while (name = string_nextinlist(&list, &sep, NULL, 0))
- if (X509_check_host(cert, name, 0, 0))
+ int rc;
+ while ((name = string_nextinlist(&list, &sep, NULL, 0)))
+ if ((rc = X509_check_host(cert, name, 0,
+ X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS)))
+ {
+ if (rc < 0)
+ {
+ log_write(0, LOG_MAIN, "SSL verify error: internal error\n");
+ name = NULL;
+ }
break;
+ }
if (!name)
{
log_write(0, LOG_MAIN,