Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
Comment: | Fix the client-side SSL connection setup so that it actually verifies the hostname on the certification from the server. |
---|---|
Downloads: | Tarball | ZIP archive | SQL archive |
Timelines: | family | ancestors | descendants | both | trunk |
Files: | files | file ages | folders |
SHA3-256: |
aaab2a15d1dfc22f5453c2bad8f25ecf |
User & Date: | drh 2021-06-15 00:39:17 |
Context
2021-06-15
| ||
01:30 | Update the change log for the TLS security patch. ... (check-in: 3c1a2764 user: drh tags: trunk) | |
01:00 | Fix the client-side SSL connection setup so that it actually verifies the hostname on the certification from the server. ... (check-in: 8126093e user: drh tags: branch-2.14) | |
00:58 | Fix the client-side SSL connection setup so that it actually verifies the hostname on the certification from the server. ... (check-in: 7d85e21f user: drh tags: branch-2.15) | |
00:39 | Fix the client-side SSL connection setup so that it actually verifies the hostname on the certification from the server. ... (check-in: aaab2a15 user: drh tags: trunk) | |
2021-06-14
| ||
20:43 | Update the built-in SQLite to the latest 3.36.0 beta, including the bug fix to the authorizer callback such that it uses SQLITE_DROP_INDEX, not SQLITE_DROP_TEMP_INDEX, for attached indexes. ... (check-in: a9917d4f user: drh tags: trunk) | |
Changes
Changes to src/http_ssl.c.
︙ | ︙ | |||
250 251 252 253 254 255 256 257 258 259 260 261 262 263 | ** g.url.name Name of the proxy server, if proxying. ** pUrlData->port TCP/IP port to use. Ex: 80 ** ** Return the number of errors. */ int ssl_open(UrlData *pUrlData){ X509 *cert; ssl_global_init(); if( pUrlData->useProxy ){ int rc; char *connStr = mprintf("%s:%d", g.url.name, pUrlData->port); BIO *sBio = BIO_new_connect(connStr); free(connStr); | > | 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 | ** g.url.name Name of the proxy server, if proxying. ** pUrlData->port TCP/IP port to use. Ex: 80 ** ** Return the number of errors. */ int ssl_open(UrlData *pUrlData){ X509 *cert; const char *zRemoteHost; ssl_global_init(); if( pUrlData->useProxy ){ int rc; char *connStr = mprintf("%s:%d", g.url.name, pUrlData->port); BIO *sBio = BIO_new_connect(connStr); free(connStr); |
︙ | ︙ | |||
274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 | return 1; } pUrlData->path = pUrlData->proxyUrlPath; iBio = BIO_new_ssl(sslCtx, 1); BIO_push(iBio, sBio); }else{ iBio = BIO_new_ssl_connect(sslCtx); } if( iBio==NULL ) { ssl_set_errmsg("SSL: cannot open SSL (%s)", ERR_reason_error_string(ERR_get_error())); return 1; } BIO_get_ssl(iBio, &ssl); #if (SSLEAY_VERSION_NUMBER >= 0x00908070) && !defined(OPENSSL_NO_TLSEXT) | > > | < < > > > > > > > > > > | 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 | return 1; } pUrlData->path = pUrlData->proxyUrlPath; iBio = BIO_new_ssl(sslCtx, 1); BIO_push(iBio, sBio); zRemoteHost = pUrlData->hostname; }else{ iBio = BIO_new_ssl_connect(sslCtx); zRemoteHost = pUrlData->name; } if( iBio==NULL ) { ssl_set_errmsg("SSL: cannot open SSL (%s)", ERR_reason_error_string(ERR_get_error())); return 1; } BIO_get_ssl(iBio, &ssl); #if (SSLEAY_VERSION_NUMBER >= 0x00908070) && !defined(OPENSSL_NO_TLSEXT) if( !SSL_set_tlsext_host_name(ssl, zRemoteHost)){ fossil_warning("WARNING: failed to set server name indication (SNI), " "continuing without it.\n"); } #endif SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY); #if OPENSSL_VERSION_NUMBER >= 0x010002000 if( !sslNoCertVerify ){ X509_VERIFY_PARAM *param = 0; param = SSL_get0_param(ssl); if( !X509_VERIFY_PARAM_set1_host(param, zRemoteHost, strlen(zRemoteHost)) ){ fossil_fatal("failed to set hostname."); } /* SSL_set_verify(ssl, SSL_VERIFY_PEER, 0); */ } #endif if( !pUrlData->useProxy ){ char *connStr = mprintf("%s:%d", pUrlData->name, pUrlData->port); BIO_set_conn_hostname(iBio, connStr); free(connStr); if( BIO_do_connect(iBio)<=0 ){ ssl_set_errmsg("SSL: cannot connect to host %s:%d (%s)", |
︙ | ︙ |