I have an updated patch for ssluse.c correcting:

- when multiple common names are used (as in the curl tests),
  the last name needs to be selected.

- allow comparing with encoded values, at least with BMP
  and ISO latin1 encoded T61strings.

I noticed that recently there was a change that the hostname
in a connection now also has a 'dispname' which seems to be
the format to be used in fpintf etc.

I haven't touched the occurence of failf in hostthre.c

comments are welcome
Peter Sylvester

*** curl-7.12.0-20040517mod/lib/ssluse.c Mon May 17 12:59:13 2004
--- curl-7.12.0-20040517/lib/ssluse.c Thu May 13 17:19:02 2004
***************
*** 872,896 ****
   
    if(matched)
      /* an alternative name matched the server hostname */
! infof(data, "\t subjectAltName: %s matched\n", conn->host.dispname);
    else {
! /* we have to look to the last occurence of a commonName in the
! distinguished one to get the most significant one. */
! int j,i=-1 ;
! unsigned char * peer_CN=NULL;
!
! X509_NAME *name = X509_get_subject_name(server_cert) ;
! if (name)
! while ((j=X509_NAME_get_index_by_NID(name,NID_commonName,i))>=0)
! i=j;
!
! /* we have the name entry and we will now convert this to a string
! that we can use for comparison. Doing this we support BMPstring,
! UTF8 etc. */
! if (i>=0)
! j = ASN1_STRING_to_UTF8(&peer_CN,X509_NAME_ENTRY_get_data(X509_NAME_get_entry(name,i))) ;
!
! if (!peer_CN) {
        if(data->set.ssl.verifyhost > 1) {
          failf(data,
                "SSL: unable to obtain common name from peer certificate");
--- 872,884 ----
   
    if(matched)
      /* an alternative name matched the server hostname */
! infof(data, "\t subjectAltName: %s matched\n", conn->host.name);
    else {
! bool obtain=FALSE;
! if(X509_NAME_get_text_by_NID(X509_get_subject_name(server_cert),
! NID_commonName,
! peer_CN,
! sizeof(peer_CN)) < 0) {
        if(data->set.ssl.verifyhost > 1) {
          failf(data,
                "SSL: unable to obtain common name from peer certificate");
***************
*** 901,922 ****
             output a note about the situation */
          infof(data, "\t common name: WARNING couldn't obtain\n");
        }
! } else if(!cert_hostcheck(peer_CN, conn->host.name)) {
! if(data->set.ssl.verifyhost > 1) {
! failf(data, "SSL: certificate subject name '%s' does not match "
! "target host name '%s'", peer_CN, conn->host.dispname);
! OPENSSL_free(peer_CN);
! return CURLE_SSL_PEER_CERTIFICATE ;
        }
        else
! infof(data, "\t common name: %s (does not match '%s')\n",
! peer_CN, conn->host.dispname);
      }
! else {
! infof(data, "\t common name: %s (matched)\n", peer_CN);
! OPENSSL_free(peer_CN);
! }
! }
    return CURLE_OK;
  }
  #endif
--- 889,914 ----
             output a note about the situation */
          infof(data, "\t common name: WARNING couldn't obtain\n");
        }
! }
! else
! obtain = TRUE;
!
! if(obtain) {
! if(!cert_hostcheck(peer_CN, conn->host.name)) {
! if(data->set.ssl.verifyhost > 1) {
! failf(data, "SSL: certificate subject name '%s' does not match "
! "target host name '%s'", peer_CN, conn->host.name);
! return CURLE_SSL_PEER_CERTIFICATE;
! }
! else
! infof(data, "\t common name: %s (does not match '%s')\n",
! peer_CN, conn->host.name);
        }
        else
! infof(data, "\t common name: %s (matched)\n", peer_CN);
      }
! }
!
    return CURLE_OK;
  }
  #endif
Received on 2004-05-17