nghttpx: Use --backend-tls-sni-field to verify certificate hostname

This commit is contained in:
Tatsuhiro Tsujikawa 2015-11-08 00:19:56 +09:00
parent aecddc2cda
commit 9b18e47671
1 changed files with 4 additions and 1 deletions

View File

@ -930,7 +930,10 @@ int check_cert(SSL *ssl, const DownstreamAddr *addr) {
std::vector<std::string> dns_names; std::vector<std::string> dns_names;
std::vector<std::string> ip_addrs; std::vector<std::string> ip_addrs;
get_altnames(cert, dns_names, ip_addrs, common_name); get_altnames(cert, dns_names, ip_addrs, common_name);
if (verify_hostname(addr->host.get(), &addr->addr, dns_names, ip_addrs, auto hostname = get_config()->backend_tls_sni_name
? get_config()->backend_tls_sni_name.get()
: addr->host.get();
if (verify_hostname(hostname, &addr->addr, dns_names, ip_addrs,
common_name) != 0) { common_name) != 0) {
LOG(ERROR) << "Certificate verification failed: hostname does not match"; LOG(ERROR) << "Certificate verification failed: hostname does not match";
return -1; return -1;