Skip to content
Browse files
Add SSL host validation check to X509_V_OK code path
Based on the man page for SSL_get_verify_result, a good certificate
verification can result in X509_V_OK.  In this case, the previously
added peer host name validation would not happen.  So add it to this
case, too.
  • Loading branch information
bblough committed Sep 1, 2019
1 parent 04cbb69 commit 2eee4d21047f4ba69cda4b362641c4ec7c764c45
Showing 1 changed file with 25 additions and 0 deletions.
@@ -274,6 +274,31 @@ axis2_ssl_utils_initialize_ssl(
return NULL;
else {
/* X509_V_OK means verification succeeded or no peer cert was presented.
* We need to check which is the case, so let's see if there's a
* peer cert.
X509 *peer_cert = NULL;
peer_cert = SSL_get_peer_certificate(ssl);
if (peer_cert) {
/* if the caller passed a hostname, verify it against the cert */
if (host) {
if (X509_check_host(peer_cert, host, strlen(host), 0, NULL) == 1) {
"[ssl client] peer name matches certificate CN/SAN");
} else {
"[ssl client] peer name does not match certificate CN/SAN");
return NULL;



return ssl;

0 comments on commit 2eee4d2

Please sign in to comment.