|
Lines 1113-1139
Link Here
|
| 1113 |
} |
1113 |
} |
| 1114 |
if ((sc->proxy_ssl_check_peer_cn != SSL_ENABLED_FALSE) && |
1114 |
if ((sc->proxy_ssl_check_peer_cn != SSL_ENABLED_FALSE) && |
| 1115 |
hostname_note) { |
1115 |
hostname_note) { |
| 1116 |
const char *hostname; |
1116 |
apr_array_header_t *ids; |
| 1117 |
int match = 0; |
1117 |
char *cp; |
|
|
1118 |
int i; |
| 1119 |
char **id; |
| 1120 |
BOOL is_wildcard, matched = FALSE; |
| 1118 |
|
1121 |
|
| 1119 |
hostname = ssl_var_lookup(NULL, server, c, NULL, |
|
|
| 1120 |
"SSL_CLIENT_S_DN_CN"); |
| 1121 |
apr_table_unset(c->notes, "proxy-request-hostname"); |
1122 |
apr_table_unset(c->notes, "proxy-request-hostname"); |
|
|
1123 |
if (!SSL_X509_getIDs(c->pool, cert, &ids)) { |
| 1124 |
ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, APLOGNO() |
| 1125 |
"SSL Proxy: Failure to extract DNs from" |
| 1126 |
" peer certificate." |
| 1127 |
" Requested hostname: %s", hostname_note); |
| 1128 |
/* ensure that the SSL structures etc are freed, etc: */ |
| 1129 |
ssl_filter_io_shutdown(filter_ctx, c, 1); |
| 1130 |
apr_table_setn(c->notes, "SSL_connect_rv", "err"); |
| 1131 |
return HTTP_BAD_GATEWAY; |
| 1132 |
} |
| 1122 |
|
1133 |
|
| 1123 |
/* Do string match or simplest wildcard match if that |
1134 |
id = (char **)ids->elts; |
| 1124 |
* fails. */ |
1135 |
for (i = 0; i < ids->nelts; i++) { |
| 1125 |
match = strcasecmp(hostname, hostname_note) == 0; |
1136 |
if (!id[i]) |
| 1126 |
if (!match && strncmp(hostname, "*.", 2) == 0) { |
1137 |
continue; |
| 1127 |
const char *p = ap_strchr_c(hostname_note, '.'); |
1138 |
|
| 1128 |
|
1139 |
ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, APLOGNO() |
| 1129 |
match = p && strcasecmp(p, hostname + 1) == 0; |
1140 |
"SSL Proxy: Peer certificate check:" |
|
|
1141 |
" %s == %s", hostname_note, id[i]); |
| 1142 |
/* |
| 1143 |
* Determine if it is a wildcard ID - we're restrictive |
| 1144 |
* in the sense that we require the wildcard character to be |
| 1145 |
* THE left-most label (i.e., the ID must start with "*.") |
| 1146 |
*/ |
| 1147 |
is_wildcard = (*id[i] == '*' && *(id[i]+1) == '.') ? TRUE : FALSE; |
| 1148 |
|
| 1149 |
/* |
| 1150 |
* If the ID includes a wildcard character, check if it matches |
| 1151 |
* for the left-most DNS label (i.e., the wildcard character |
| 1152 |
* is not allowed to match a dot). Otherwise, try a simple |
| 1153 |
* string compare, case insensitively. |
| 1154 |
*/ |
| 1155 |
if ((is_wildcard == TRUE && |
| 1156 |
(cp = strchr(hostname_note, '.')) && |
| 1157 |
!strcasecmp(id[i]+1, cp)) || |
| 1158 |
!strcasecmp(id[i], hostname_note)) { |
| 1159 |
matched = TRUE; |
| 1160 |
break; |
| 1161 |
} |
| 1130 |
} |
1162 |
} |
| 1131 |
|
1163 |
|
| 1132 |
if (!match) { |
1164 |
if (matched == FALSE) { |
| 1133 |
ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, APLOGNO(02005) |
1165 |
ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, APLOGNO(02005) |
| 1134 |
"SSL Proxy: Peer certificate CN mismatch:" |
1166 |
"SSL Proxy: Peer certificate CN mismatch:" |
| 1135 |
" Certificate CN: %s Requested hostname: %s", |
1167 |
" Requested hostname: %s." |
| 1136 |
hostname, hostname_note); |
1168 |
" Last DN checked: %s.", |
|
|
1169 |
hostname_note, id[i-1]); |
| 1137 |
/* ensure that the SSL structures etc are freed, etc: */ |
1170 |
/* ensure that the SSL structures etc are freed, etc: */ |
| 1138 |
ssl_filter_io_shutdown(filter_ctx, c, 1); |
1171 |
ssl_filter_io_shutdown(filter_ctx, c, 1); |
| 1139 |
apr_table_setn(c->notes, "SSL_connect_rv", "err"); |
1172 |
apr_table_setn(c->notes, "SSL_connect_rv", "err"); |