Mirrors/libwebsockets
1
0
Fork 0
mirror of https://github.com/warmcat/libwebsockets.git synced 2025-03-09 00:00:04 +01:00
Code Issues Releases Wiki Activity

openssl: Allow IP-based SAN in automatic hostname check

Browse source 
With OpenSSL, `X509_VERIFY_PARAM_set1_host` only checks matching hostnames and alternative names that are domain-based.

This change tries calling `X509_VERIFY_PARAM_set1_ip_asc` first, which attempts to parse the hostname as an IP address (v4 or v6). If this fails, it'll fall back to the current `X509_VERIFY_PARAM_set1_host` behavior.
This commit is contained in:
=?UTF-8?q?Samuel=20Lor=C3=A9tan?= 2018-12-05 15:38:23 -08:00 committed by Andy Green
parent 08b5ad9299
commit 31d1d73f74
1 changed files with 3 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
lib/tls/openssl/openssl-client.c
View file

@ -158,7 +158,9 @@ lws_ssl_client_bio_create(struct lws *wsi)
/* Enable automatic hostname checks */
X509_VERIFY_PARAM_set_hostflags(param,
X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
X509_VERIFY_PARAM_set1_host(param, hostname, 0);
// Handle the case where the hostname is an IP address.
if (!X509_VERIFY_PARAM_set1_ip_asc(param, hostname))
X509_VERIFY_PARAM_set1_host(param, hostname, 0);
}
#endif