Set expected certificate hostname when connecting to an HTTPS server

This commit is contained in:
2025-11-23 23:54:10 +01:00
parent 1be0c14415
commit aa158980f5
3 changed files with 31 additions and 5 deletions
+16 -2
View File
@@ -2435,8 +2435,22 @@ static void socket_update(Socket *s)
else else
addr = s->addr; addr = s->addr;
if (addr.name) if (addr.name) {
// Set expected hostname for verification
if (SSL_set1_host(s->ssl, addr.name->data) != 1) {
s->state = SOCKET_STATE_DIED;
s->events = 0;
break;
}
// Optional but recommended: be strict about wildcards
SSL_set_hostflags(s->ssl,
X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
// Also set for SNI (Server Name Indication)
SSL_set_tlsext_host_name(s->ssl, addr.name->data); SSL_set_tlsext_host_name(s->ssl, addr.name->data);
}
} }
int ret = SSL_connect(s->ssl); int ret = SSL_connect(s->ssl);
@@ -2738,7 +2752,7 @@ static int socket_manager_translate_events_nolock(
s->server_secure_context = NULL; s->server_secure_context = NULL;
s->client_secure_context = NULL; s->client_secure_context = NULL;
if (secure) if (secure)
&s->server_secure_context = sm->server_secure_context; s->server_secure_context = &sm->server_secure_context;
#endif #endif
socket_update(s); socket_update(s);
-2
View File
@@ -1,4 +1,2 @@
- From Claude:
While peer verification is enabled, there's no hostname verification. An attacker with any valid certificate could MITM connections. Should add SSL_set1_host(ssl, hostname);
- Add connection timeouts - Add connection timeouts
- Per RFC 6265, cookie values can be quoted. This parser would include the quotes in the value. - Per RFC 6265, cookie values can be quoted. This parser would include the quotes in the value.
+15 -1
View File
@@ -465,8 +465,22 @@ static void socket_update(Socket *s)
else else
addr = s->addr; addr = s->addr;
if (addr.name) if (addr.name) {
// Set expected hostname for verification
if (SSL_set1_host(s->ssl, addr.name->data) != 1) {
s->state = SOCKET_STATE_DIED;
s->events = 0;
break;
}
// Optional but recommended: be strict about wildcards
SSL_set_hostflags(s->ssl,
X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
// Also set for SNI (Server Name Indication)
SSL_set_tlsext_host_name(s->ssl, addr.name->data); SSL_set_tlsext_host_name(s->ssl, addr.name->data);
}
} }
int ret = SSL_connect(s->ssl); int ret = SSL_connect(s->ssl);