Add SSL host validation check to X509_V_OK code path
Based on the man page for SSL_get_verify_result, a good certificate
verification can result in X509_V_OK. In this case, the previously
added peer host name validation would not happen. So add it to this
case, too.
diff --git a/src/core/transport/http/sender/ssl/ssl_utils.c b/src/core/transport/http/sender/ssl/ssl_utils.c
index 23e2583..06d4126 100644
--- a/src/core/transport/http/sender/ssl/ssl_utils.c
+++ b/src/core/transport/http/sender/ssl/ssl_utils.c
@@ -274,6 +274,31 @@
sslerror);
return NULL;
}
+ else {
+ /* X509_V_OK means verification succeeded or no peer cert was presented.
+ * We need to check which is the case, so let's see if there's a
+ * peer cert.
+ */
+ X509 *peer_cert = NULL;
+ peer_cert = SSL_get_peer_certificate(ssl);
+ if (peer_cert) {
+ /* if the caller passed a hostname, verify it against the cert */
+ if (host) {
+ if (X509_check_host(peer_cert, host, strlen(host), 0, NULL) == 1) {
+ AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI,
+ "[ssl client] peer name matches certificate CN/SAN");
+ } else {
+ AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI,
+ "[ssl client] peer name does not match certificate CN/SAN");
+ X509_free(peer_cert);
+ return NULL;
+ }
+ }
+
+ X509_free(peer_cert);
+ }
+
+ }
return ssl;
}
