Skip to content

Fix SNI check when custom root-CA used on Apple devices.

Pre-release
Pre-release

Choose a tag to compare

View all tags
@graebm graebm released this 17 Jun 17:36
· 238 commits to main since this release
v0.10.5
14b5e6d
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode. 
Validate hostname on Mac when custom root-CA is used. (#396)

**Issue:** When custom root-CA was specified, we were not validating hostname.

**Solution:** Use `SecPolicyCreateSSL()` instead of `SecPolicyCreateBasicX509()` in this scenario.

**Also:**
1) The lifetime of `unittests.crt` had to be shortened to 2.25 years to meet the [stricter standards](https://support.apple.com/en-us/HT210176) of `SecPolicyCreateSSL()`. Added `unittests.readme` with instructions on how to update these files again in the future.

2) Simplify code that logs the server name. (The code we had didn't actually do what we thought it did. As far as I can tell SecureChannel API doesn't offer a function to query the server name)

Credit: Adapted from patch submitted by F-Secure
Assets 2
Loading