View | Details | Raw Unified | Return to bug 47051
Collapse All | Expand All

(-)httpd-2.2.11.orig/modules/ssl/ssl_engine_init.c (-5 / +6 lines)
Lines 830-847 Link Here
830 
        int fnm_flags = APR_FNM_PERIOD|APR_FNM_CASE_BLIND;
 830 
        int fnm_flags = APR_FNM_PERIOD|APR_FNM_CASE_BLIND;
831 

          831
          

        

        

          832
          
        if (apr_fnmatch_test(cn)) {

          832
          
        if (apr_fnmatch_test(cn)) {

        

          
            

              833
              
            if (apr_fnmatch(cn, s->server_hostname,


              833
              
            if ((apr_fnmatch(cn, s->server_hostname,

            

            

              834
              
                            fnm_flags) == APR_FNM_NOMATCH) {


              834
              
                            fnm_flags) == APR_FNM_NOMATCH) &&

            

            

              
              

              835
              
                            !SSL_X509_checkANs(cert, s)) {

            

        

          835
          
                ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,

          836
          
                ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,

        

        

          836
          
                             "%s server certificate wildcard CommonName "

          837
          
                             "%s server certificate wildcard CommonName "

        

        

          837
          
                             "(CN) `%s' does NOT match server name!?",

          838
          
                             "(CN) `%s' does NOT match server name!?",

        

        

          838
          
                             ssl_asn1_keystr(type), cn);

          839
          
                             ssl_asn1_keystr(type), cn);

        

        

          839
          
            }

          840
          
            }

        

        

          840
          
        }

          841
          
        }

        

          
            

              841
              
        else if (strNE(s->server_hostname, cn)) {


              842
              
        else if (strNE(s->server_hostname, cn) && !SSL_X509_checkANs(cert, s)) {

            

        

          842
          
            ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,

          843
          
            ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,

        

          
            

              843
              
                         "%s server certificate CommonName (CN) `%s' "


              844
              
                         "%s server certificate CommonName (CN) `%s' or Subject"

            

            

              844
              
                         "does NOT match server name!?",


              845
              
                         "Alternative Name do NOT match server name!?",

            

        

          845
          
                         ssl_asn1_keystr(type), cn);

          846
          
                         ssl_asn1_keystr(type), cn);

        

        

          846
          
        }

          847
          
        }

        

        

          847
          
    }

          848
          
    }

        



(-)httpd-2.2.11.orig/modules/ssl/ssl_util_ssl.c
      (+41 lines)




  

    
      
            Lines 354-359
          
      
      
        Link Here
      
    
  

        

          354
          
#endif

          354
          
#endif

        

        

          355
          
}

          355
          
}

        

        

          356
          

          356
          

        

            

              
              
              357
              
/* check the list of possibly existing altnames for the server name */

            

            

              358
              
BOOL SSL_X509_checkANs(X509 *cert, server_rec *s)

            

            

              359
              
{

            

            

              360
              
#ifdef HAVE_SSL_X509V3_EXT_d2i

            

            

              361
              
  X509_EXTENSION *ext;

            

            

              362
              
  GENERAL_NAMES *gns;

            

            

              363
              
  GENERAL_NAME *gn;

            

            

              364
              
  BOOL result = FALSE;

            

            

              365
              
  int idx, i;

            

            

              366
              

            

            

              367
              
  if ((idx = X509_get_ext_by_NID(cert, NID_subject_alt_name, -1)) < 0)

            

            

              368
              
    return FALSE;

            

            

              369
              
  ext = X509_get_ext(cert, idx);

            

            

              370
              
  if (ext == NULL)

            

            

              371
              
    return FALSE;

            

            

              372
              
  if ((gns = (GENERAL_NAMES*)X509V3_EXT_d2i(ext)) == NULL)

            

            

              373
              
    return FALSE;

            

            

              374
              

            

            

              375
              
  for(i = 0; i < sk_GENERAL_NAME_num(gns); i++) {

            

            

              376
              
    gn = sk_GENERAL_NAME_value(gns, i);

            

            

              377
              
    if (gn->type == GEN_DNS) {

            

            

              378
              
      if (apr_fnmatch_test(gn->d.ia5->data)) {

            

            

              379
              
        if (apr_fnmatch(gn->d.ia5->data, s->server_hostname, APR_FNM_PERIOD|APR_FNM_CASE_BLIND) != APR_FNM_NOMATCH) {

            

            

              380
              
          result = TRUE;

            

            

              381
              
          goto cleanup;

            

            

              382
              
        }

            

            

              383
              
      } else if (!strNE(s->server_hostname, gn->d.ia5->data)) {

            

            

              384
              
        result = TRUE;

            

            

              385
              
        goto cleanup;

            

            

              386
              
      }

            

            

              387
              
    }

            

            

              388
              
  }

            

            

              389
              

            

            

              390
              
  cleanup:

            

            

              391
              
    GENERAL_NAMES_free(gns);

            

            

              392
              
    return result;

            

            

              393
              
#else

            

            

              394
              
  return FALSE;

            

            

              395
              
#endif

            

            

              396
              
}

            

            

              397
              

            

        

          357
          
/* retrieve subject CommonName of certificate */

          398
          
/* retrieve subject CommonName of certificate */

        

        

          358
          
BOOL SSL_X509_getCN(apr_pool_t *p, X509 *xs, char **cppCN)

          399
          
BOOL SSL_X509_getCN(apr_pool_t *p, X509 *xs, char **cppCN)

        

        

          359
          
{

          400
          
{

        



(-)httpd-2.2.11.orig/modules/ssl/ssl_util_ssl.h
      (+1 lines)




  

    
      
            Lines 85-90
          
      
      
        Link Here
      
    
  

        

          85
          
char       *SSL_make_ciphersuite(apr_pool_t *, SSL *);

          85
          
char       *SSL_make_ciphersuite(apr_pool_t *, SSL *);

        

        

          86
          
BOOL        SSL_X509_isSGC(X509 *);

          86
          
BOOL        SSL_X509_isSGC(X509 *);

        

        

          87
          
BOOL        SSL_X509_getBC(X509 *, int *, int *);

          87
          
BOOL        SSL_X509_getBC(X509 *, int *, int *);

        

            

              
              
              88
              
BOOL        SSL_X509_checkANs(X509 *, server_rec*);

            

        

          88
          
BOOL        SSL_X509_getCN(apr_pool_t *, X509 *, char **);

          89
          
BOOL        SSL_X509_getCN(apr_pool_t *, X509 *, char **);

        

        

          89
          
BOOL        SSL_X509_INFO_load_file(apr_pool_t *, STACK_OF(X509_INFO) *, const char *);

          90
          
BOOL        SSL_X509_INFO_load_file(apr_pool_t *, STACK_OF(X509_INFO) *, const char *);

        

        

          90
          
BOOL        SSL_X509_INFO_load_path(apr_pool_t *, STACK_OF(X509_INFO) *, const char *);

          91
          
BOOL        SSL_X509_INFO_load_path(apr_pool_t *, STACK_OF(X509_INFO) *, const char *);

        






  

  Return to bug 47051