Branch: Tag:

2015-12-03

2015-12-03 14:41:39 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.Connection: Added server_name validation against cert.

cert_data->server_name_verified will be set to 1 on success, 0 on
failure, and be UNDEFINED on unknown (ie server_name not set).

265:       if(result->verified)    { +  if (session->server_name) { +  array(Standards.X509.TBSCertificate) certs = +  [array(Standards.X509.TBSCertificate)](result->certificates); +  Standards.X509.TBSCertificate cert = certs[-1]; +  array(string) globs = Standards.PKCS.Certificate. +  decode_distinguished_name(cert->subject)->commonNmae - ({ 0 }); +  if (cert->ext_subjectAltName_dNSName) { +  globs += cert->ext_subjectAltName_dNSName; +  } +  result->server_name_verified = 0; +  foreach(globs, string g) { +  if (glob(g, session->server_name)) { +  result->server_name_verified = 1; +  break; +  } +  } +  }    // This data isn't actually used internally.    session->cert_data = result;    return 1;