Aren/haiku
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

BSecureSocket: Pass the hostname to the X509 layer to validate it.

Browse Source 
Now SSL certificates with the wrong hostname actually fail to validate.
While I'm at it, remove the usage of BString and just check [0] directly.

Spotted by a random commenter on Hacker News.
This commit is contained in:
Augustin Cavalier 2019-08-23 17:50:28 -04:00
parent 759ee24c4c
commit 8d63a9060e
1 changed files with 3 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/kits/network/libnetapi/SecureSocket.cpp
View File

@ -589,13 +589,11 @@ BSecureSocket::_SetupCommon(const char* host)
BIO_set_fd(fPrivate->fBIO, fSocket, BIO_NOCLOSE);
SSL_set_bio(fPrivate->fSSL, fPrivate->fBIO, fPrivate->fBIO);
SSL_set_ex_data(fPrivate->fSSL, Private::sDataIndex, this);
if (host != NULL) {
BString hostString = host;
if (hostString != "")
SSL_set_tlsext_host_name(fPrivate->fSSL, host);
if (host != NULL && host[0] != '\0') {
SSL_set_tlsext_host_name(fPrivate->fSSL, host);
X509_VERIFY_PARAM_set1_host(SSL_get0_param(fPrivate->fSSL), host, 0);
}
return B_OK;
}