certcheck: use the custom Host: name for checks
If you use a custom Host: name in a request to a SSL server, libcurl will now use that given name when it verifies the server certificate to be correct rather than using the host name used in the actual URL.
This commit is contained in:
parent
4b2fbe1e97
commit
b0fd03f5b8
12
lib/ssluse.c
12
lib/ssluse.c
@ -1125,16 +1125,20 @@ static CURLcode verifyhost(struct connectdata *conn,
|
|||||||
struct in_addr addr;
|
struct in_addr addr;
|
||||||
#endif
|
#endif
|
||||||
CURLcode res = CURLE_OK;
|
CURLcode res = CURLE_OK;
|
||||||
|
char *hostname;
|
||||||
|
|
||||||
|
hostname = conn->allocptr.customhost?conn->allocptr.customhost:
|
||||||
|
conn->host.name;
|
||||||
|
|
||||||
#ifdef ENABLE_IPV6
|
#ifdef ENABLE_IPV6
|
||||||
if(conn->bits.ipv6_ip &&
|
if(conn->bits.ipv6_ip &&
|
||||||
Curl_inet_pton(AF_INET6, conn->host.name, &addr)) {
|
Curl_inet_pton(AF_INET6, hostname, &addr)) {
|
||||||
target = GEN_IPADD;
|
target = GEN_IPADD;
|
||||||
addrlen = sizeof(struct in6_addr);
|
addrlen = sizeof(struct in6_addr);
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
#endif
|
#endif
|
||||||
if(Curl_inet_pton(AF_INET, conn->host.name, &addr)) {
|
if(Curl_inet_pton(AF_INET, hostname, &addr)) {
|
||||||
target = GEN_IPADD;
|
target = GEN_IPADD;
|
||||||
addrlen = sizeof(struct in_addr);
|
addrlen = sizeof(struct in_addr);
|
||||||
}
|
}
|
||||||
@ -1176,7 +1180,7 @@ static CURLcode verifyhost(struct connectdata *conn,
|
|||||||
if((altlen == strlen(altptr)) &&
|
if((altlen == strlen(altptr)) &&
|
||||||
/* if this isn't true, there was an embedded zero in the name
|
/* if this isn't true, there was an embedded zero in the name
|
||||||
string and we cannot match it. */
|
string and we cannot match it. */
|
||||||
cert_hostcheck(altptr, conn->host.name))
|
cert_hostcheck(altptr, hostname))
|
||||||
matched = 1;
|
matched = 1;
|
||||||
else
|
else
|
||||||
matched = 0;
|
matched = 0;
|
||||||
@ -1278,7 +1282,7 @@ static CURLcode verifyhost(struct connectdata *conn,
|
|||||||
"SSL: unable to obtain common name from peer certificate");
|
"SSL: unable to obtain common name from peer certificate");
|
||||||
res = CURLE_PEER_FAILED_VERIFICATION;
|
res = CURLE_PEER_FAILED_VERIFICATION;
|
||||||
}
|
}
|
||||||
else if(!cert_hostcheck((const char *)peer_CN, conn->host.name)) {
|
else if(!cert_hostcheck((const char *)peer_CN, hostname)) {
|
||||||
if(data->set.ssl.verifyhost > 1) {
|
if(data->set.ssl.verifyhost > 1) {
|
||||||
failf(data, "SSL: certificate subject name '%s' does not match "
|
failf(data, "SSL: certificate subject name '%s' does not match "
|
||||||
"target host name '%s'", peer_CN, conn->host.dispname);
|
"target host name '%s'", peer_CN, conn->host.dispname);
|
||||||
|
Loading…
Reference in New Issue
Block a user