generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Better invalid SNI name error handling

Browse Source 
Also report an SSL_dane_enable error when the basedomain is an
invalid SNI name.  Avoid side-effects when such a name is valid
with X509_VERIFY_PARAM_set1_host(), as e.g. with an empty name, by
setting the SNI name first.

Reviewed-by: Rich Salz <rsalz@openssl.org>
This commit is contained in:
Viktor Dukhovni
2016-01-16 13:25:17 -05:00
parent 0982ecaaee
commit 8d887efa2e
1 changed files with 12 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
ssl/ssl_lib.c
View File

@@ -872,15 +872,21 @@ int SSL_dane_enable(SSL *s, const char *basedomain)
return 0; return 0;
} }
/* Primary RFC6125 reference identifier */ /*
if (!X509_VERIFY_PARAM_set1_host(s->param, basedomain, 0)) { * Default SNI name. This rejects empty names, while set1_host below
* accepts them and disables host name checks. To avoid side-effects with
* invalid input, set the SNI name first.
*/
if (s->tlsext_hostname == NULL) {
if (!SSL_set_tlsext_host_name(s, basedomain)) {
SSLerr(SSL_F_SSL_DANE_ENABLE, SSL_R_ERROR_SETTING_TLSA_BASE_DOMAIN); SSLerr(SSL_F_SSL_DANE_ENABLE, SSL_R_ERROR_SETTING_TLSA_BASE_DOMAIN);
return -1; return -1;
} }
}
/* Default SNI name */ /* Primary RFC6125 reference identifier */
if (s->tlsext_hostname == NULL) { if (!X509_VERIFY_PARAM_set1_host(s->param, basedomain, 0)) {
if (!SSL_set_tlsext_host_name(s, basedomain)) SSLerr(SSL_F_SSL_DANE_ENABLE, SSL_R_ERROR_SETTING_TLSA_BASE_DOMAIN);
return -1; return -1;
} }