Gitweb links:
...log
http://git.netsurf-browser.org/netsurf.git/shortlog/44f3846727d35ab17be3f779caa4a33548cdc152
...commit
http://git.netsurf-browser.org/netsurf.git/commit/44f3846727d35ab17be3f779caa4a33548cdc152
...tree
http://git.netsurf-browser.org/netsurf.git/tree/44f3846727d35ab17be3f779caa4a33548cdc152
The branch, master has been updated
via 44f3846727d35ab17be3f779caa4a33548cdc152 (commit)
from c903c881e62ce020f53da0b03f4e8f388b9bd986 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commitdiff
http://git.netsurf-browser.org/netsurf.git/commit/?id=44f3846727d35ab17be3f779caa4a33548cdc152
commit 44f3846727d35ab17be3f779caa4a33548cdc152
Author: Daniel Silverstone <[email protected]>
Commit: Daniel Silverstone <[email protected]>
SSL Error: Enable OpenSSL hostname verification
Since OpenSSL 1.0.2 there has been hostname verification support
which cURL doesn't turn on for some reason. Turn it on so that
we get better hostname verification handling.
Signed-off-by: Daniel Silverstone <[email protected]>
diff --git a/content/fetchers/curl.c b/content/fetchers/curl.c
index db41b32..50c5d64 100644
--- a/content/fetchers/curl.c
+++ b/content/fetchers/curl.c
@@ -39,6 +39,7 @@
#include <time.h>
#include <sys/stat.h>
#include <openssl/ssl.h>
+#include <openssl/x509v3.h>
#include <libwapcaplet/libwapcaplet.h>
#include <nsutils/time.h>
@@ -594,6 +595,9 @@ fetch_curl_report_certs_upstream(struct curl_fetch_info *f)
case X509_V_ERR_CERT_REVOKED:
ssl_certs[depth].err = SSL_CERT_ERR_REVOKED;
break;
+ case X509_V_ERR_HOSTNAME_MISMATCH:
+ ssl_certs[depth].err = SSL_CERT_ERR_HOSTNAME_MISMATCH;
+ break;
default:
ssl_certs[depth].err = SSL_CERT_ERR_UNKNOWN;
break;
@@ -689,9 +693,20 @@ static int fetch_curl_cert_verify_callback(X509_STORE_CTX
*x509_ctx, void *parm)
{
struct curl_fetch_info *f = (struct curl_fetch_info *) parm;
int ok;
+ X509_VERIFY_PARAM *vparam;
+
+ /* Configure the verification parameters to include hostname */
+ vparam = X509_STORE_CTX_get0_param(x509_ctx);
+ X509_VERIFY_PARAM_set_hostflags(vparam,
X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
+
+ ok = X509_VERIFY_PARAM_set1_host(vparam,
+ lwc_string_data(f->host),
+ lwc_string_length(f->host));
/* Store fetch struct in context for verify callback */
- ok = X509_STORE_CTX_set_app_data(x509_ctx, parm);
+ if (ok) {
+ ok = X509_STORE_CTX_set_app_data(x509_ctx, parm);
+ }
/* verify the certificate chain using standard call */
if (ok) {
@@ -1181,21 +1196,9 @@ static void fetch_curl_done(CURL *curl_handle, CURLcode
result)
;
} else if (result == CURLE_SSL_PEER_CERTIFICATE ||
result == CURLE_SSL_CACERT) {
- /*
- * curl in 7.63.0 (https://github.com/curl/curl/pull/3291)
- * unified *all* SSL errors into the single
- * CURLE_PEER_FAILED_VERIFICATION depricating
- * CURLE_SSL_PEER_CERTIFICATE and CURLE_SSL_CACERT
- *
- * This change complete removed the ability to
- * distinguish between certificate errors, host
- * verification errors or any other failure reason
- * using the curl result code.
- *
- * The result is when certificate error message is
- * sent there is currently no way of informing the
- * llcache about host verification faliures as the
- * certificate chain has no error codes set.
+ /* Some kind of failure has occurred. If we don't know
+ * what happened, we'll have reported unknown errors up
+ * to the user already via the certificate chain error fields.
*/
cert = true;
} else {
diff --git a/include/netsurf/ssl_certs.h b/include/netsurf/ssl_certs.h
index c77c299..7e933b1 100644
--- a/include/netsurf/ssl_certs.h
+++ b/include/netsurf/ssl_certs.h
@@ -38,7 +38,7 @@ typedef enum {
SSL_CERT_ERR_SELF_SIGNED, /**< This certificate (or the chain) is self
signed */
SSL_CERT_ERR_CHAIN_SELF_SIGNED, /**< This certificate chain is self
signed */
SSL_CERT_ERR_REVOKED, /**< This certificate has been revoked */
- SSL_CERT_ERR_COMMON_NAME, /**< This certificate host did not match teh
server */
+ SSL_CERT_ERR_HOSTNAME_MISMATCH, /**< This certificate host did not
match the server */
} ssl_cert_err;
/**
diff --git a/resources/FatMessages b/resources/FatMessages
index 7dd3970..54c69b8 100644
--- a/resources/FatMessages
+++ b/resources/FatMessages
@@ -1076,7 +1076,7 @@ en.all.SSLCertErrTooOld:The certificate has expired.
en.all.SSLCertErrSelfSigned:The certificate is self signed.
en.all.SSLCertErrChainSelfSigned:The certificate chain is self signed.
en.all.SSLCertErrRevoked:The certificate has been revoked by the issuer.
-en.all.SSLCertErrCommonName:The certificate is for a different host than the
server
+en.all.SSLCertErrHostnameMismatch:The certificate is for a different host than
the server
# SSL certificate viewer
diff --git a/utils/messages.c b/utils/messages.c
index c4a7959..0d2085c 100644
--- a/utils/messages.c
+++ b/utils/messages.c
@@ -383,9 +383,9 @@ const char *messages_get_sslcode(ssl_cert_err code)
/* This certificate has been revoked */
return messages_get_ctx("SSLCertErrRevoked", messages_hash);
- case SSL_CERT_ERR_COMMON_NAME:
+ case SSL_CERT_ERR_HOSTNAME_MISMATCH:
/* Common name is invalid */
- return messages_get_ctx("SSLCertErrCommonName", messages_hash);
+ return messages_get_ctx("SSLCertErrHostnameMismatch",
messages_hash);
}
-----------------------------------------------------------------------
Summary of changes:
content/fetchers/curl.c | 35 +++++++++++++++++++----------------
include/netsurf/ssl_certs.h | 2 +-
resources/FatMessages | 2 +-
utils/messages.c | 4 ++--
4 files changed, 23 insertions(+), 20 deletions(-)
diff --git a/content/fetchers/curl.c b/content/fetchers/curl.c
index db41b32..50c5d64 100644
--- a/content/fetchers/curl.c
+++ b/content/fetchers/curl.c
@@ -39,6 +39,7 @@
#include <time.h>
#include <sys/stat.h>
#include <openssl/ssl.h>
+#include <openssl/x509v3.h>
#include <libwapcaplet/libwapcaplet.h>
#include <nsutils/time.h>
@@ -594,6 +595,9 @@ fetch_curl_report_certs_upstream(struct curl_fetch_info *f)
case X509_V_ERR_CERT_REVOKED:
ssl_certs[depth].err = SSL_CERT_ERR_REVOKED;
break;
+ case X509_V_ERR_HOSTNAME_MISMATCH:
+ ssl_certs[depth].err = SSL_CERT_ERR_HOSTNAME_MISMATCH;
+ break;
default:
ssl_certs[depth].err = SSL_CERT_ERR_UNKNOWN;
break;
@@ -689,9 +693,20 @@ static int fetch_curl_cert_verify_callback(X509_STORE_CTX
*x509_ctx, void *parm)
{
struct curl_fetch_info *f = (struct curl_fetch_info *) parm;
int ok;
+ X509_VERIFY_PARAM *vparam;
+
+ /* Configure the verification parameters to include hostname */
+ vparam = X509_STORE_CTX_get0_param(x509_ctx);
+ X509_VERIFY_PARAM_set_hostflags(vparam,
X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
+
+ ok = X509_VERIFY_PARAM_set1_host(vparam,
+ lwc_string_data(f->host),
+ lwc_string_length(f->host));
/* Store fetch struct in context for verify callback */
- ok = X509_STORE_CTX_set_app_data(x509_ctx, parm);
+ if (ok) {
+ ok = X509_STORE_CTX_set_app_data(x509_ctx, parm);
+ }
/* verify the certificate chain using standard call */
if (ok) {
@@ -1181,21 +1196,9 @@ static void fetch_curl_done(CURL *curl_handle, CURLcode
result)
;
} else if (result == CURLE_SSL_PEER_CERTIFICATE ||
result == CURLE_SSL_CACERT) {
- /*
- * curl in 7.63.0 (https://github.com/curl/curl/pull/3291)
- * unified *all* SSL errors into the single
- * CURLE_PEER_FAILED_VERIFICATION depricating
- * CURLE_SSL_PEER_CERTIFICATE and CURLE_SSL_CACERT
- *
- * This change complete removed the ability to
- * distinguish between certificate errors, host
- * verification errors or any other failure reason
- * using the curl result code.
- *
- * The result is when certificate error message is
- * sent there is currently no way of informing the
- * llcache about host verification faliures as the
- * certificate chain has no error codes set.
+ /* Some kind of failure has occurred. If we don't know
+ * what happened, we'll have reported unknown errors up
+ * to the user already via the certificate chain error fields.
*/
cert = true;
} else {
diff --git a/include/netsurf/ssl_certs.h b/include/netsurf/ssl_certs.h
index c77c299..7e933b1 100644
--- a/include/netsurf/ssl_certs.h
+++ b/include/netsurf/ssl_certs.h
@@ -38,7 +38,7 @@ typedef enum {
SSL_CERT_ERR_SELF_SIGNED, /**< This certificate (or the chain) is self
signed */
SSL_CERT_ERR_CHAIN_SELF_SIGNED, /**< This certificate chain is self
signed */
SSL_CERT_ERR_REVOKED, /**< This certificate has been revoked */
- SSL_CERT_ERR_COMMON_NAME, /**< This certificate host did not match teh
server */
+ SSL_CERT_ERR_HOSTNAME_MISMATCH, /**< This certificate host did not
match the server */
} ssl_cert_err;
/**
diff --git a/resources/FatMessages b/resources/FatMessages
index 7dd3970..54c69b8 100644
--- a/resources/FatMessages
+++ b/resources/FatMessages
@@ -1076,7 +1076,7 @@ en.all.SSLCertErrTooOld:The certificate has expired.
en.all.SSLCertErrSelfSigned:The certificate is self signed.
en.all.SSLCertErrChainSelfSigned:The certificate chain is self signed.
en.all.SSLCertErrRevoked:The certificate has been revoked by the issuer.
-en.all.SSLCertErrCommonName:The certificate is for a different host than the
server
+en.all.SSLCertErrHostnameMismatch:The certificate is for a different host than
the server
# SSL certificate viewer
diff --git a/utils/messages.c b/utils/messages.c
index c4a7959..0d2085c 100644
--- a/utils/messages.c
+++ b/utils/messages.c
@@ -383,9 +383,9 @@ const char *messages_get_sslcode(ssl_cert_err code)
/* This certificate has been revoked */
return messages_get_ctx("SSLCertErrRevoked", messages_hash);
- case SSL_CERT_ERR_COMMON_NAME:
+ case SSL_CERT_ERR_HOSTNAME_MISMATCH:
/* Common name is invalid */
- return messages_get_ctx("SSLCertErrCommonName", messages_hash);
+ return messages_get_ctx("SSLCertErrHostnameMismatch",
messages_hash);
}
--
NetSurf Browser
_______________________________________________
netsurf-commits mailing list
[email protected]
http://listmaster.pepperfish.net/cgi-bin/mailman/listinfo/netsurf-commits-netsurf-browser.org
