diff options
| author | Sergei Golubchik <serg@mariadb.org> | 2017-04-25 23:00:58 +0200 |
|---|---|---|
| committer | Sergei Golubchik <serg@mariadb.org> | 2017-04-27 19:12:44 +0200 |
| commit | 1b27c254731747756d254f96cd8666dae3f0809b (patch) | |
| tree | 4647958d45742c088fcb6e6afd01797fc6972158 /sql-common | |
| parent | b8c840500816c514b6722145a7f307c499793b69 (diff) | |
| download | mariadb-git-1b27c254731747756d254f96cd8666dae3f0809b.tar.gz | |
MDEV-10594 SSL hostname verification fails for SubjectAltNames
use X509_check_host for OpenSSL 1.0.2+
This adds:
* support for subjectAltNames
* wildcards
* sub-domain matching
Diffstat (limited to 'sql-common')
| -rw-r--r-- | sql-common/client.c | 21 |
1 files changed, 11 insertions, 10 deletions
diff --git a/sql-common/client.c b/sql-common/client.c index 42b6667b1bf..332e60947e6 100644 --- a/sql-common/client.c +++ b/sql-common/client.c @@ -1768,15 +1768,22 @@ mysql_get_ssl_cipher(MYSQL *mysql __attribute__((unused))) #if defined(HAVE_OPENSSL) +#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(HAVE_YASSL) +#include <openssl/x509v3.h> +#define HAVE_X509_check_host +#endif + static int ssl_verify_server_cert(Vio *vio, const char* server_hostname, const char **errptr) { SSL *ssl; X509 *server_cert= NULL; +#ifndef HAVE_X509_check_host char *cn= NULL; int cn_loc= -1; ASN1_STRING *cn_asn1= NULL; X509_NAME_ENTRY *cn_entry= NULL; X509_NAME *subject= NULL; +#endif int ret_validation= 1; DBUG_ENTER("ssl_verify_server_cert"); @@ -1811,14 +1818,9 @@ static int ssl_verify_server_cert(Vio *vio, const char* server_hostname, const c are what we expect. */ - /* - Some notes for future development - We should check host name in alternative name first and then if needed check in common name. - Currently yssl doesn't support alternative name. - openssl 1.0.2 support X509_check_host method for host name validation, we may need to start using - X509_check_host in the future. - */ - +#ifdef HAVE_X509_check_host + ret_validation= X509_check_host(server_cert, server_hostname, 0, 0, 0) != 1; +#else subject= X509_get_subject_name(server_cert); cn_loc= X509_NAME_get_index_by_NID(subject, NID_commonName, -1); if (cn_loc < 0) @@ -1826,7 +1828,6 @@ static int ssl_verify_server_cert(Vio *vio, const char* server_hostname, const c *errptr= "Failed to get CN location in the certificate subject"; goto error; } - cn_entry= X509_NAME_get_entry(subject, cn_loc); if (cn_entry == NULL) { @@ -1855,7 +1856,7 @@ static int ssl_verify_server_cert(Vio *vio, const char* server_hostname, const c /* Success */ ret_validation= 0; } - +#endif *errptr= "SSL certificate validation failure"; error: |