summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/plugins/tlsopenssl/tls_openssl.c43
1 files changed, 40 insertions, 3 deletions
diff --git a/src/plugins/tlsopenssl/tls_openssl.c b/src/plugins/tlsopenssl/tls_openssl.c
index 75494aac6de..0b76425d60d 100644
--- a/src/plugins/tlsopenssl/tls_openssl.c
+++ b/src/plugins/tlsopenssl/tls_openssl.c
@@ -28,6 +28,7 @@
#include <tlsopenssl/tls_openssl.h>
#include <tlsopenssl/tls_bios.h>
#include <openssl/x509_vfy.h>
+#include <openssl/x509v3.h>
#define MAX_CRYPTO_LEN 64
@@ -670,7 +671,42 @@ openssl_set_ckpair (SSL *ssl_connection, u32 ckpair_index)
SSL_use_PrivateKey (ssl_connection, pkey);
BIO_free (cert_bio);
TLS_DBG (1, "TLS client using ckpair index: %d", ckpair_index);
+ return 0;
+}
+
+static int
+openssl_ctx_init_verify (tls_ctx_t *ctx, int set_hostname_verification,
+ int set_hostname_strict_check)
+{
+ openssl_ctx_t *oc = (openssl_ctx_t *) ctx;
+ SSL *ssl = oc->ssl;
+
+ if (set_hostname_verification)
+ {
+ X509_VERIFY_PARAM *param = SSL_get0_param (ssl);
+ if (!param)
+ {
+ TLS_DBG (1, "Couldn't fetch SSL param");
+ return -1;
+ }
+ if (set_hostname_strict_check)
+ X509_VERIFY_PARAM_set_hostflags (param,
+ X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
+
+ if (!X509_VERIFY_PARAM_set1_host (param,
+ (const char *) ctx->srv_hostname, 0))
+ {
+ TLS_DBG (1, "Couldn't set hostname for verification");
+ return -1;
+ }
+ SSL_set_verify (ssl, SSL_VERIFY_PEER, 0);
+ }
+ if (!SSL_set_tlsext_host_name (ssl, ctx->srv_hostname))
+ {
+ TLS_DBG (1, "Couldn't set hostname");
+ return -1;
+ }
return 0;
}
@@ -735,10 +771,11 @@ openssl_ctx_init_client (tls_ctx_t * ctx)
SSL_set_bio (oc->ssl, oc->wbio, oc->rbio);
SSL_set_connect_state (oc->ssl);
- rv = SSL_set_tlsext_host_name (oc->ssl, ctx->srv_hostname);
- if (rv != 1)
+ /* Hostname validation and strict check by name, are disable by default */
+ rv = openssl_ctx_init_verify (ctx, 0, 0);
+ if (rv)
{
- TLS_DBG (1, "Couldn't set hostname");
+ TLS_DBG (1, "ERROR:verify init failed:%d", rv);
return -1;
}
if (openssl_set_ckpair (oc->ssl, ctx->ckpair_index))