diff options
| author | Michael Gmelin <mg@grem.de> | 2018-01-19 00:24:39 +0100 |
|---|---|---|
| committer | Sergei Golubchik <serg@mariadb.org> | 2018-04-03 16:20:04 +0200 |
| commit | ed33296246091780439bdbcb087027d2a8bf8eeb (patch) | |
| tree | db122368acb88d89094192a9d8241d5eee08ca4a /sql-common | |
| parent | 7ffa82b03c8da12062223d5e332e972d6f828d44 (diff) | |
| download | mariadb-git-ed33296246091780439bdbcb087027d2a8bf8eeb.tar.gz | |
Fix LibreSSL X509 (SSL) certificate hostname checking.
(Currently) LibreSSL doesn't calculate the string length of the hostname
that's passed to X509_check_host automatically in case namelen/chklen is 0.
This causes server certificate validation to fail when building MariaDB with
LibreSSL.
The proposed fix makes MariaDB determine the string length passed to
X509_check_host. As there are no ill side-effects (OpenSSL's X509_check_host
also simply calls strlen if namelen == 0, see also X509_check_host(3)), this
wasn't wrapped in any #ifdef like constructs.
Please see here for a proposed patch to modify LibreSSL's behavior:
https://github.com/libressl-portable/openbsd/pull/87
Diffstat (limited to 'sql-common')
| -rw-r--r-- | sql-common/client.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/sql-common/client.c b/sql-common/client.c index da18a0fdea1..e2d4a0949df 100644 --- a/sql-common/client.c +++ b/sql-common/client.c @@ -1821,7 +1821,8 @@ static int ssl_verify_server_cert(Vio *vio, const char* server_hostname, const c */ #ifdef HAVE_X509_check_host - ret_validation= X509_check_host(server_cert, server_hostname, 0, 0, 0) != 1; + ret_validation= X509_check_host(server_cert, server_hostname, + strlen(server_hostname), 0, 0) != 1; #else subject= X509_get_subject_name(server_cert); cn_loc= X509_NAME_get_index_by_NID(subject, NID_commonName, -1); |