diff options
Diffstat (limited to 'src/ne_gnutls.c')
-rw-r--r-- | src/ne_gnutls.c | 39 |
1 files changed, 13 insertions, 26 deletions
diff --git a/src/ne_gnutls.c b/src/ne_gnutls.c index 1f1be93..3e0495f 100644 --- a/src/ne_gnutls.c +++ b/src/ne_gnutls.c @@ -325,27 +325,6 @@ void ne_ssl_cert_validity_time(const ne_ssl_certificate *cert, } } -/* Return non-zero if hostname from certificate (cn) matches hostname - * used for session (hostname). (Wildcard matching is no longer - * mandated by RFC3280, but certs are deployed which use wildcards) */ -static int match_hostname(char *cn, const char *hostname) -{ - const char *dot; - dot = strchr(hostname, '.'); - if (dot == NULL) { - char *pnt = strchr(cn, '.'); - /* hostname is not fully-qualified; unqualify the cn. */ - if (pnt != NULL) { - *pnt = '\0'; - } - } - else if (strncmp(cn, "*.", 2) == 0) { - hostname = dot + 1; - cn += 2; - } - return !ne_strcasecmp(cn, hostname); -} - /* Check certificate identity. Returns zero if identity matches; 1 if * identity does not match, or <0 if the certificate had no identity. * If 'identity' is non-NULL, store the malloc-allocated identity in @@ -371,7 +350,7 @@ static int check_identity(const ne_uri *server, gnutls_x509_crt cert, case GNUTLS_SAN_DNSNAME: name[len] = '\0'; if (identity && !found) *identity = ne_strdup(name); - match = match_hostname(name, hostname); + match = ne__ssl_match_hostname(name, hostname); found = 1; break; case GNUTLS_SAN_IPADDRESS: { @@ -440,7 +419,7 @@ static int check_identity(const ne_uri *server, gnutls_x509_crt cert, seq, 0, name, &len); if (ret == 0) { if (identity) *identity = ne_strdup(name); - match = match_hostname(name, hostname); + match = ne__ssl_match_hostname(name, hostname); } } else { return -1; @@ -575,6 +554,7 @@ static int provide_client_cert(gnutls_session session, } } else { NE_DEBUG(NE_DBG_SSL, "No client certificate supplied.\n"); + sess->ssl_cc_requested = 1; return GNUTLS_E_NO_CERTIFICATE_FOUND; } @@ -733,9 +713,16 @@ int ne__negotiate_ssl(ne_session *sess) sess->flags[NE_SESSFLAG_TLS_SNI] ? sess->server.hostname : NULL; if (ne_sock_connect_ssl(sess->socket, ctx, sess)) { - ne_set_error(sess, _("SSL negotiation failed: %s"), - ne_sock_error(sess->socket)); - return NE_ERROR; + if (sess->ssl_cc_requested) { + ne_set_error(sess, _("SSL negotiation failed, " + "client certificate was requested: %s"), + ne_sock_error(sess->socket)); + } + else { + ne_set_error(sess, _("SSL negotiation failed: %s"), + ne_sock_error(sess->socket)); + } + return NE_ERROR; } sock = ne__sock_sslsock(sess->socket); |