Set expected certificate hostname when connecting to an HTTPS server
This commit is contained in:
@@ -2435,9 +2435,23 @@ static void socket_update(Socket *s)
|
|||||||
else
|
else
|
||||||
addr = s->addr;
|
addr = s->addr;
|
||||||
|
|
||||||
if (addr.name)
|
if (addr.name) {
|
||||||
|
|
||||||
|
// Set expected hostname for verification
|
||||||
|
if (SSL_set1_host(s->ssl, addr.name->data) != 1) {
|
||||||
|
s->state = SOCKET_STATE_DIED;
|
||||||
|
s->events = 0;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Optional but recommended: be strict about wildcards
|
||||||
|
SSL_set_hostflags(s->ssl,
|
||||||
|
X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
|
||||||
|
|
||||||
|
// Also set for SNI (Server Name Indication)
|
||||||
SSL_set_tlsext_host_name(s->ssl, addr.name->data);
|
SSL_set_tlsext_host_name(s->ssl, addr.name->data);
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
int ret = SSL_connect(s->ssl);
|
int ret = SSL_connect(s->ssl);
|
||||||
if (ret == 1) {
|
if (ret == 1) {
|
||||||
@@ -2738,7 +2752,7 @@ static int socket_manager_translate_events_nolock(
|
|||||||
s->server_secure_context = NULL;
|
s->server_secure_context = NULL;
|
||||||
s->client_secure_context = NULL;
|
s->client_secure_context = NULL;
|
||||||
if (secure)
|
if (secure)
|
||||||
&s->server_secure_context = sm->server_secure_context;
|
s->server_secure_context = &sm->server_secure_context;
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
socket_update(s);
|
socket_update(s);
|
||||||
|
|||||||
@@ -1,4 +1,2 @@
|
|||||||
- From Claude:
|
|
||||||
While peer verification is enabled, there's no hostname verification. An attacker with any valid certificate could MITM connections. Should add SSL_set1_host(ssl, hostname);
|
|
||||||
- Add connection timeouts
|
- Add connection timeouts
|
||||||
- Per RFC 6265, cookie values can be quoted. This parser would include the quotes in the value.
|
- Per RFC 6265, cookie values can be quoted. This parser would include the quotes in the value.
|
||||||
|
|||||||
+15
-1
@@ -465,9 +465,23 @@ static void socket_update(Socket *s)
|
|||||||
else
|
else
|
||||||
addr = s->addr;
|
addr = s->addr;
|
||||||
|
|
||||||
if (addr.name)
|
if (addr.name) {
|
||||||
|
|
||||||
|
// Set expected hostname for verification
|
||||||
|
if (SSL_set1_host(s->ssl, addr.name->data) != 1) {
|
||||||
|
s->state = SOCKET_STATE_DIED;
|
||||||
|
s->events = 0;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Optional but recommended: be strict about wildcards
|
||||||
|
SSL_set_hostflags(s->ssl,
|
||||||
|
X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
|
||||||
|
|
||||||
|
// Also set for SNI (Server Name Indication)
|
||||||
SSL_set_tlsext_host_name(s->ssl, addr.name->data);
|
SSL_set_tlsext_host_name(s->ssl, addr.name->data);
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
int ret = SSL_connect(s->ssl);
|
int ret = SSL_connect(s->ssl);
|
||||||
if (ret == 1) {
|
if (ret == 1) {
|
||||||
|
|||||||
Reference in New Issue
Block a user