diff --git a/src/shrpx_ssl.cc b/src/shrpx_ssl.cc index 15c47f32..b14a054e 100644 --- a/src/shrpx_ssl.cc +++ b/src/shrpx_ssl.cc @@ -984,11 +984,21 @@ int verify_hostname(X509 *cert, const StringRef &hostname, } auto len = ASN1_STRING_length(altname->d.ia5); + if (len == 0) { + continue; + } if (std::find(name, name + len, '\0') != name + len) { // Embedded NULL is not permitted. continue; } + if (name[len - 1] == '.') { + --len; + if (len == 0) { + continue; + } + } + if (tls_hostname_match(StringRef{name, static_cast(len)}, hostname)) { return 0; @@ -1140,7 +1150,7 @@ void CertLookupTree::add_cert(SSL_CTX *ssl_ctx, const StringRef &hostname) { if (hostname.empty()) { return; } - // Copy hostname including terminal NULL + // Copy hostname auto host_copy = make_unique(hostname.size() + 1); std::copy(std::begin(hostname), std::end(hostname), host_copy.get()); host_copy[hostname.size()] = '\0'; @@ -1234,11 +1244,21 @@ int cert_lookup_tree_add_cert_from_file(CertLookupTree *lt, SSL_CTX *ssl_ctx, } auto len = ASN1_STRING_length(altname->d.ia5); + if (len == 0) { + continue; + } if (std::find(name, name + len, '\0') != name + len) { // Embedded NULL is not permitted. continue; } + if (name[len - 1] == '.') { + --len; + if (len == 0) { + continue; + } + } + lt->add_cert(ssl_ctx, StringRef{name, static_cast(len)}); } } @@ -1248,6 +1268,16 @@ int cert_lookup_tree_add_cert_from_file(CertLookupTree *lt, SSL_CTX *ssl_ctx, return 0; } + if (cn[cn.size() - 1] == '.') { + if (cn.size() == 1) { + OPENSSL_free(const_cast(cn.c_str())); + + return 0; + } + + cn = StringRef{cn.c_str(), cn.size() - 1}; + } + lt->add_cert(ssl_ctx, cn); OPENSSL_free(const_cast(cn.c_str()));