walkero
/
nghttp2
1
0
Fork 0
Code Issues Pull Requests Projects Releases 1 Wiki Activity

nghttpx: Fail handshake if server certificate verification fails 

Previously, we drop connection if server certificate verification
fails after handshake.  With this commit, we fail handshake if that
happens.
This commit is contained in:
Tatsuhiro Tsujikawa 2017-04-01 13:41:41 +09:00
parent 236c835abc
commit b12c2a13c0
1 changed files with 4 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
src/shrpx_ssl.cc
View File

@ -962,6 +962,10 @@ SSL_CTX *create_ssl_client_context(
}
}
if (!tlsconf.insecure) {
SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, nullptr);
}
if (!cert_file.empty()) {
if (SSL_CTX_use_certificate_chain_file(ssl_ctx, cert_file.c_str()) != 1) {
@ -1284,12 +1288,6 @@ int check_cert(SSL *ssl, const Address *addr, const StringRef &host) {
return 0;
}
auto cert_deleter = defer(X509_free, cert);
auto verify_res = SSL_get_verify_result(ssl);
if (verify_res != X509_V_OK) {
LOG(ERROR) << "Certificate verification failed: "
<< X509_verify_cert_error_string(verify_res);
return -1;
}
if (verify_hostname(cert, host, addr) != 0) {
LOG(ERROR) << "Certificate verification failed: hostname does not match";