diff options
author | Jeremy Harris <jgh146exb@wizmail.org> | 2014-05-26 10:35:50 +0100 |
---|---|---|
committer | Jeremy Harris <jgh146exb@wizmail.org> | 2014-05-26 10:35:50 +0100 |
commit | d8e7834aeddc637bd49730444f4d257eb8267135 (patch) | |
tree | 082c76f5ef27c66bc75bce4b231d35e51aa94054 /src | |
parent | 533aaf9166d3e1cca6dac7e309914a88b25e4260 (diff) |
Restrict certificate name checkin for wildcards.
On more recent OpenSSL library versions the builtin wildcard checking
can take a restriction option that we want, to disallow the more
complex possibilities of wildcarding.
Diffstat (limited to 'src')
-rw-r--r-- | src/src/tls-openssl.c | 16 |
1 files changed, 14 insertions, 2 deletions
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index bcca506e0..9609d6252 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -327,13 +327,25 @@ else /* client, wanting hostname check */ # if OPENSSL_VERSION_NUMBER >= 0x010100000L || OPENSSL_VERSION_NUMBER >= 0x010002000L +# ifndef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS +# define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0 +# endif { int sep = 0; uschar * list = verify_cert_hostnames; uschar * name; - while (name = string_nextinlist(&list, &sep, NULL, 0)) - if (X509_check_host(cert, name, 0, 0)) + int rc; + while ((name = string_nextinlist(&list, &sep, NULL, 0))) + if ((rc = X509_check_host(cert, name, 0, + X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS))) + { + if (rc < 0) + { + log_write(0, LOG_MAIN, "SSL verify error: internal error\n"); + name = NULL; + } break; + } if (!name) { log_write(0, LOG_MAIN, |