diff options
author | Oscar Koeroo <okoeroo@gmail.com> | 2012-11-03 02:06:51 +0100 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2012-11-08 22:23:12 +0100 |
commit | 1394cad30fcac7eb21adb9158dfcfab10e9f53d4 (patch) | |
tree | a4c89ce32f9f5fb1da8c69e1b44ba6005d6b2a96 /lib/cyassl.c | |
parent | 18c0e9bd71009792982dc6cf518427c13c8674a0 (diff) |
SSL: Several SSL-backend related fixes
axTLS:
This will make the axTLS backend perform the RFC2818 checks, honoring
the VERIFYHOST setting similar to the OpenSSL backend.
Generic for OpenSSL and axTLS:
Move the hostcheck and cert_hostcheck functions from the lib/ssluse.c
files to make them genericly available for both the OpenSSL, axTLS and
other SSL backends. They are now in the new lib/hostcheck.c file.
CyaSSL:
CyaSSL now also has the RFC2818 checks enabled by default. There is a
limitation that the verifyhost can not be enabled exclusively on the
Subject CN field comparison. This SSL backend will thus behave like the
NSS and the GnuTLS (meaning: RFC2818 ok, or bust). In other words:
setting verifyhost to 0 or 1 will disable the Subject Alt Names checks
too.
Schannel:
Updated the schannel information messages: Split the IP address usage
message from the verifyhost setting and changed the message about
disabling SNI (Server Name Indication, used in HTTP virtual hosting)
into a message stating that the Subject Alternative Names checks are
being disabled when verifyhost is set to 0 or 1. As a side effect of
switching off the RFC2818 related servername checks with
SCH_CRED_NO_SERVERNAME_CHECK
(http://msdn.microsoft.com/en-us/library/aa923430.aspx) the SNI feature
is being disabled. This effect is not documented in MSDN, but Wireshark
output clearly shows the effect (details on the libcurl maillist).
PolarSSL:
Fix the prototype change in PolarSSL of ssl_set_session() and the move
of the peer_cert from the ssl_context to the ssl_session. Found this
change in the PolarSSL SVN between r1316 and r1317 where the
POLARSSL_VERSION_NUMBER was at 0x01010100. But to accommodate the Ubuntu
PolarSSL version 1.1.4 the check is to discriminate between lower then
PolarSSL version 1.2.0 and 1.2.0 and higher. Note: The PolarSSL SVN
trunk jumped from version 1.1.1 to 1.2.0.
Generic:
All the SSL backends are fixed and checked to work with the
ssl.verifyhost as a boolean, which is an internal API change.
Diffstat (limited to 'lib/cyassl.c')
-rw-r--r-- | lib/cyassl.c | 47 |
1 files changed, 42 insertions, 5 deletions
diff --git a/lib/cyassl.c b/lib/cyassl.c index 4c517802f..3639532b2 100644 --- a/lib/cyassl.c +++ b/lib/cyassl.c @@ -53,6 +53,8 @@ #include "curl_memory.h" /* The last #include file should be: */ #include "memdebug.h" +#include <cyassl/ssl.h> +#include <cyassl/error.h> static Curl_recv cyassl_recv; @@ -237,6 +239,13 @@ cyassl_connect_step2(struct connectdata *conn, conn->recv[sockindex] = cyassl_recv; conn->send[sockindex] = cyassl_send; + /* Enable RFC2818 checks */ + if(data->set.ssl.verifyhost) { + ret = CyaSSL_check_domain_name(conssl->handle, conn->host.name); + if(ret == SSL_FAILURE) + return CURLE_OUT_OF_MEMORY; + } + ret = SSL_connect(conssl->handle); if(ret != 1) { char error_buffer[80]; @@ -246,15 +255,43 @@ cyassl_connect_step2(struct connectdata *conn, conssl->connecting_state = ssl_connect_2_reading; return CURLE_OK; } - - if(SSL_ERROR_WANT_WRITE == detail) { + else if(SSL_ERROR_WANT_WRITE == detail) { conssl->connecting_state = ssl_connect_2_writing; return CURLE_OK; } - - failf(data, "SSL_connect failed with error %d: %s", detail, + /* There is no easy way to override only the CN matching. + * This will enable the override of both mismatching SubjectAltNames + * as also mismatching CN fields */ + else if(DOMAIN_NAME_MISMATCH == detail) { +#if 1 + failf(data, "\tsubject alt name(s) or common name do not match \"%s\"\n", + conn->host.dispname); + return CURLE_PEER_FAILED_VERIFICATION; +#else + /* When the CyaSSL_check_domain_name() is used and you desire to continue + * on a DOMAIN_NAME_MISMATCH, i.e. 'data->set.ssl.verifyhost == 0', + * CyaSSL version 2.4.0 will fail with an INCOMPLETE_DATA error. The only + * way to do this is currently to switch the CyaSSL_check_domain_name() + * in and out based on the 'data->set.ssl.verifyhost' value. */ + if(data->set.ssl.verifyhost) { + failf(data, + "\tsubject alt name(s) or common name do not match \"%s\"\n", + conn->host.dispname); + return CURLE_PEER_FAILED_VERIFICATION; + } + else { + infof(data, + "\tsubject alt name(s) and/or common name do not match \"%s\"\n", + conn->host.dispname); + return CURLE_OK; + } +#endif + } + else { + failf(data, "SSL_connect failed with error %d: %s", detail, ERR_error_string(detail, error_buffer)); - return CURLE_SSL_CONNECT_ERROR; + return CURLE_SSL_CONNECT_ERROR; + } } conssl->connecting_state = ssl_connect_3; |