Daniel Stenberg schrieb: > On Tue, 15 Sep 2009, Sven Anders wrote: >> Yes and No. An DNS or IP entry should match, but I can have other >> entries (like email, RID, URI, otherName,...) too. These should not >> considered when trying to match. > > Ah, it wasn't clear to be from that output that the particular field > was not a DNS field. > > How about the attached patch, does it make your certficiate work fine > again? > Yes, it works.
You missed one line (1129):
matched = TRUE;
this should be:
matched = 1;
New patch is attached.
Regards
Sven
--
Sven Anders <[email protected]> () Ascii Ribbon Campaign
/\ Support plain text e-mail
ANDURAS service solutions AG
Innstraße 71 - 94036 Passau - Germany
Web: www.anduras.de - Tel: +49 (0)851-4 90 50-0 - Fax: +49 (0)851-4 90 50-55
Rechtsform: Aktiengesellschaft - Sitz: Passau - Amtsgericht Passau HRB 6032
Mitglieder des Vorstands: Sven Anders, Marcus Junker
Vorsitzender des Aufsichtsrats: Mark Peters
--- curl-7.19.6/lib/ssluse.c.orig 2009-09-15 17:30:12.000000000 +0200
+++ curl-7.19.6/lib/ssluse.c 2009-09-15 17:31:24.000000000 +0200
@@ -1056,7 +1056,8 @@ cert_hostcheck(const char *match_pattern
static CURLcode verifyhost(struct connectdata *conn,
X509 *server_cert)
{
- bool matched = FALSE; /* no alternative match yet */
+ int matched = -1; /* -1 is no alternative match yet, 1 means match and 0
+ means mismatch */
int target = GEN_DNS; /* target type, GEN_DNS or GEN_IPADD */
size_t addrlen = 0;
struct SessionHandle *data = conn->data;
@@ -1093,7 +1094,7 @@ static CURLcode verifyhost(struct connec
numalts = sk_GENERAL_NAME_num(altnames);
/* loop through all alternatives while none has matched */
- for (i=0; (i<numalts) && !matched; i++) {
+ for (i=0; (i<numalts) && (matched != 1); i++) {
/* get a handle to alternative name number i */
const GENERAL_NAME *check = sk_GENERAL_NAME_value(altnames, i);
@@ -1119,14 +1120,18 @@ static CURLcode verifyhost(struct connec
/* if this isn't true, there was an embedded zero in the name
string and we cannot match it. */
cert_hostcheck(altptr, conn->host.name))
- matched = TRUE;
+ matched = 1;
+ else
+ matched = 0;
break;
case GEN_IPADD: /* IP address comparison */
/* compare alternative IP address if the data chunk is the same size
our server IP address is */
if((altlen == addrlen) && !memcmp(altptr, &addr, altlen))
- matched = TRUE;
+ matched = 1;
+ else
+ matched = 0;
break;
}
}
@@ -1134,10 +1139,10 @@ static CURLcode verifyhost(struct connec
GENERAL_NAMES_free(altnames);
}
- if(matched)
+ if(matched == 1)
/* an alternative name matched the server hostname */
infof(data, "\t subjectAltName: %s matched\n", conn->host.dispname);
- else if(altnames) {
+ else if(matched == 0) {
/* an alternative name field existed, but didn't match and then
we MUST fail */
infof(data, "\t subjectAltName does not match %s\n", conn->host.dispname);
<<attachment: anders.vcf>>
signature.asc
Description: OpenPGP digital signature
