nghttpx: Remove trailing "." from SAN DNS name and CN

src/shrpx_ssl.cc

@@ -984,11 +984,21 @@ int verify_hostname(X509 *cert, const StringRef &hostname,
       }
 
       auto len = ASN1_STRING_length(altname->d.ia5);
+      if (len == 0) {
+        continue;
+      }
       if (std::find(name, name + len, '\0') != name + len) {
         // Embedded NULL is not permitted.
         continue;
       }
 
+      if (name[len - 1] == '.') {
+        --len;
+        if (len == 0) {
+          continue;
+        }
+      }
+
       if (tls_hostname_match(StringRef{name, static_cast<size_t>(len)},
                              hostname)) {
         return 0;
@@ -1140,7 +1150,7 @@ void CertLookupTree::add_cert(SSL_CTX *ssl_ctx, const StringRef &hostname) {
   if (hostname.empty()) {
     return;
   }
-  // Copy hostname including terminal NULL
+  // Copy hostname
   auto host_copy = make_unique<char[]>(hostname.size() + 1);
   std::copy(std::begin(hostname), std::end(hostname), host_copy.get());
   host_copy[hostname.size()] = '\0';
@@ -1234,11 +1244,21 @@ int cert_lookup_tree_add_cert_from_file(CertLookupTree *lt, SSL_CTX *ssl_ctx,
       }
 
       auto len = ASN1_STRING_length(altname->d.ia5);
+      if (len == 0) {
+        continue;
+      }
       if (std::find(name, name + len, '\0') != name + len) {
         // Embedded NULL is not permitted.
         continue;
       }
 
+      if (name[len - 1] == '.') {
+        --len;
+        if (len == 0) {
+          continue;
+        }
+      }
+
       lt->add_cert(ssl_ctx, StringRef{name, static_cast<size_t>(len)});
     }
   }
@@ -1248,6 +1268,16 @@ int cert_lookup_tree_add_cert_from_file(CertLookupTree *lt, SSL_CTX *ssl_ctx,
     return 0;
   }
 
+  if (cn[cn.size() - 1] == '.') {
+    if (cn.size() == 1) {
+      OPENSSL_free(const_cast<char *>(cn.c_str()));
+
+      return 0;
+    }
+
+    cn = StringRef{cn.c_str(), cn.size() - 1};
+  }
+
   lt->add_cert(ssl_ctx, cn);
 
   OPENSSL_free(const_cast<char *>(cn.c_str()));