diff options
Diffstat (limited to 'src/plugins/tlsopenssl/tls_openssl.c')
-rw-r--r-- | src/plugins/tlsopenssl/tls_openssl.c | 43 |
1 files changed, 40 insertions, 3 deletions
diff --git a/src/plugins/tlsopenssl/tls_openssl.c b/src/plugins/tlsopenssl/tls_openssl.c index 75494aac6de..0b76425d60d 100644 --- a/src/plugins/tlsopenssl/tls_openssl.c +++ b/src/plugins/tlsopenssl/tls_openssl.c @@ -28,6 +28,7 @@ #include <tlsopenssl/tls_openssl.h> #include <tlsopenssl/tls_bios.h> #include <openssl/x509_vfy.h> +#include <openssl/x509v3.h> #define MAX_CRYPTO_LEN 64 @@ -670,7 +671,42 @@ openssl_set_ckpair (SSL *ssl_connection, u32 ckpair_index) SSL_use_PrivateKey (ssl_connection, pkey); BIO_free (cert_bio); TLS_DBG (1, "TLS client using ckpair index: %d", ckpair_index); + return 0; +} + +static int +openssl_ctx_init_verify (tls_ctx_t *ctx, int set_hostname_verification, + int set_hostname_strict_check) +{ + openssl_ctx_t *oc = (openssl_ctx_t *) ctx; + SSL *ssl = oc->ssl; + + if (set_hostname_verification) + { + X509_VERIFY_PARAM *param = SSL_get0_param (ssl); + if (!param) + { + TLS_DBG (1, "Couldn't fetch SSL param"); + return -1; + } + if (set_hostname_strict_check) + X509_VERIFY_PARAM_set_hostflags (param, + X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); + + if (!X509_VERIFY_PARAM_set1_host (param, + (const char *) ctx->srv_hostname, 0)) + { + TLS_DBG (1, "Couldn't set hostname for verification"); + return -1; + } + SSL_set_verify (ssl, SSL_VERIFY_PEER, 0); + } + if (!SSL_set_tlsext_host_name (ssl, ctx->srv_hostname)) + { + TLS_DBG (1, "Couldn't set hostname"); + return -1; + } return 0; } @@ -735,10 +771,11 @@ openssl_ctx_init_client (tls_ctx_t * ctx) SSL_set_bio (oc->ssl, oc->wbio, oc->rbio); SSL_set_connect_state (oc->ssl); - rv = SSL_set_tlsext_host_name (oc->ssl, ctx->srv_hostname); - if (rv != 1) + /* Hostname validation and strict check by name, are disable by default */ + rv = openssl_ctx_init_verify (ctx, 0, 0); + if (rv) { - TLS_DBG (1, "Couldn't set hostname"); + TLS_DBG (1, "ERROR:verify init failed:%d", rv); return -1; } if (openssl_set_ckpair (oc->ssl, ctx->ckpair_index)) |