diff options
| author | Vladislav Vaintroub <wlad@mariadb.com> | 2019-04-24 11:15:08 +0200 |
|---|---|---|
| committer | Vladislav Vaintroub <wlad@mariadb.com> | 2019-04-28 12:49:59 +0200 |
| commit | e116f11f0aeb740667294185534c859928dc125d (patch) | |
| tree | 987944514ecc5fc1b865be3c1638488f6e0a7c7c /sql-common | |
| parent | eb9b03ab488d160aee487389605941a584e6074d (diff) | |
| download | mariadb-git-e116f11f0aeb740667294185534c859928dc125d.tar.gz | |
MDEV-18131 MariaDB does not verify IP addresses from subject alternative
names
Added a call to X509_check_ip_asc() in case server_hostname represents
an IP address.
Diffstat (limited to 'sql-common')
| -rw-r--r-- | sql-common/client.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/sql-common/client.c b/sql-common/client.c index 60aa558dfb3..4420a1afc17 100644 --- a/sql-common/client.c +++ b/sql-common/client.c @@ -1838,8 +1838,10 @@ static int ssl_verify_server_cert(Vio *vio, const char* server_hostname, const c */ #ifdef HAVE_X509_check_host - ret_validation= X509_check_host(server_cert, server_hostname, - strlen(server_hostname), 0, 0) != 1; + ret_validation= + (X509_check_host(server_cert, server_hostname, + strlen(server_hostname), 0, 0) != 1) && + (X509_check_ip_asc(server_cert, server_hostname, 0) != 1); #else subject= X509_get_subject_name(server_cert); cn_loc= X509_NAME_get_index_by_NID(subject, NID_commonName, -1); |