-
-
Notifications
You must be signed in to change notification settings - Fork 6.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Verify host name against subjectAltName on non-ASCII platforms #2493
Conversation
Curl_cert_hostcheck operates with the host character set, therefore the ASCII subjectAltName string retrieved with OpenSSL must be converted to the host encoding before comparison.
The travis red is a failed
|
Fixed "make checksrc" problem. |
There's a second place in the file where And regarding the code, I would prefer an approach that uses less #ifdefs in place. Perhaps you can just provide a wrapper function that does the conversions in this style: #ifdef CURL_DOES_CONVERSIONS
static int hostcheck_convert(const char *match_pattern, const char *hostname)
{
char *altptr2 = strdup(altptr);
if(altptr2) {
if(!Curl_convert_from_network(data, altptr2, altlen))
rc = Curl_cert_hostcheck(altptr2, hostname);
else
rc = failcode;
free(altptr2);
}
return rc;
}
#define Curl_cert_hostcheck(x,y) hostcheck_convert(x,y)
#endif |
You are right, I need to check this. If I understand it correctly the second place is triggered when a certificate does not have the
I will refactor the code accordingly. |
The second place within Line 1516 in a3f3853
|
For readability reasons the matching of the subjectAltName entries against the hostname was moved to a function of its own.
I moved the check against subjectAltName into a separate function. The proposed macro trick to redefine the function |
Thanks, the red travis failure is unrelated. I took the liberty to modify your function slightly before I merged, please have a look and shout if you think I massacred something. |
Curl_cert_hostcheck operates with the host character set, therefore the ASCII subjectAltName string retrieved with OpenSSL must be converted to the host encoding before comparison.
This was discovered on a z/OS machine with EBCDIC encoding, where HTTPS connections to servers with subjectAltName in the server certificate failed.