client ssl add flag to control server cert hostname check

This is a simplified version of a patch that went on master before v2.1 675c349cc5 It enforces hostname checking for client SSL certs; perviously it was not performed. On v2.1+, you can control if this checking is applied or not. But to avoid changing to public API, it is enforced on v2.0-stable. There is no legit reason to disable this check... if you want to disable it, upgrade to v2.1+ or stay on v2.0-stable behind this patch. https://github.com/warmcat/libwebsockets/issues/715
2016-12-14 19:27:46 +08:00 · 2016-12-14 19:27:46 +08:00 · bc10edb359
commit bc10edb359
parent b75680a15f
3 changed files with 13 additions and 12 deletions
--- a/lib/libwebsockets.h
+++ b/lib/libwebsockets.h
@ -349,7 +349,6 @@ enum lws_context_options {
 								  (1 << 12),
 	LWS_SERVER_OPTION_LIBUV					= (1 << 10),
 	LWS_SERVER_OPTION_REDIRECT_HTTP_TO_HTTPS		= (1 << 11) |
-								  (1 << 3) |
 								  (1 << 12),
 	LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT			= (1 << 12),
 	LWS_SERVER_OPTION_EXPLICIT_VHOSTS			= (1 << 13),
--- a/lib/private-libwebsockets.h
+++ b/lib/private-libwebsockets.h
@ -1272,7 +1272,7 @@ struct lws {
 	unsigned int extension_data_pending:1;
 #endif
 #ifdef LWS_OPENSSL_SUPPORT
-	unsigned int use_ssl:2;
+	unsigned int use_ssl:3;
 	unsigned int upgraded:1;
 #endif
 #ifdef _WIN32
--- a/lib/ssl-client.c
+++ b/lib/ssl-client.c
@ -53,13 +53,15 @@ lws_ssl_client_bio_create(struct lws *wsi)
 	}

 #if defined LWS_HAVE_X509_VERIFY_PARAM_set1_host
-	param = SSL_get0_param(wsi->ssl);
-	/* Enable automatic hostname checks */
-	X509_VERIFY_PARAM_set_hostflags(param,
-					X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
-	X509_VERIFY_PARAM_set1_host(param, hostname, 0);
-	/* Configure a non-zero callback if desired */
-	SSL_set_verify(wsi->ssl, SSL_VERIFY_PEER, 0);
+	{
+		param = SSL_get0_param(wsi->ssl);
+		/* Enable automatic hostname checks */
+		X509_VERIFY_PARAM_set_hostflags(param,
+						X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
+		X509_VERIFY_PARAM_set1_host(param, hostname, 0);
+		/* Configure a non-zero callback if desired */
+		SSL_set_verify(wsi->ssl, SSL_VERIFY_PEER, 0);
+	}
 #endif

 #ifndef USE_WOLFSSL
@ -286,12 +288,12 @@ lws_ssl_client_connect2(struct lws *wsi)
 	lws_latency_pre(context, wsi);
 	n = SSL_get_verify_result(wsi->ssl);
 	lws_latency(context, wsi,
-		"SSL_get_verify_result LWS_CONNMODE..HANDSHAKE",
-						      n, n > 0);
+		"SSL_get_verify_result LWS_CONNMODE..HANDSHAKE", n, n > 0);

 	if (n != X509_V_OK) {
 		if ((n == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT ||
-		     n == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) && wsi->use_ssl == 2) {
+		     n == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) &&
+		     wsi->use_ssl == 2) {
 			lwsl_notice("accepting self-signed certificate\n");
 		} else {
 			lwsl_err("server's cert didn't look good, X509_V_ERR = %d: %s\n",