about summary refs log tree commit diff
diff options
context:
space:
mode:
authorAlexander Barton <alex@barton.de>2024-01-01 19:58:35 +0100
committerAlexander Barton <alex@barton.de>2024-03-23 20:19:01 +0100
commit84b019b11f761b71c8239d60e7f8db0b82a55df3 (patch)
treec08535a0dcd5b441ca2dda8c7a03c30dff9fce4b
parent8f8bef9faee96a6033e8719fd38167017299847a (diff)
downloadngircd-84b019b11f761b71c8239d60e7f8db0b82a55df3.tar.gz
ngircd-84b019b11f761b71c8239d60e7f8db0b82a55df3.zip
S2S-TLS/OpenSSL: Always setup host name verification
Setup host name verification even when the "SSLVerify" option is
disabled, because even then the peer can present a valid certificate and
validation would always(!) fail because of the missing host name
verification setup.
-rw-r--r--src/ngircd/conn-ssl.c28
1 files changed, 15 insertions, 13 deletions
diff --git a/src/ngircd/conn-ssl.c b/src/ngircd/conn-ssl.c
index dcd21def..ce4e27c1 100644
--- a/src/ngircd/conn-ssl.c
+++ b/src/ngircd/conn-ssl.c
@@ -748,25 +748,27 @@ ConnSSL_PrepareConnect(CONNECTION * c, CONF_SERVER * s)
 	if (!ret)
 		return false;
 	Conn_OPTION_ADD(c, CONN_SSL_CONNECT);
+
 #ifdef HAVE_LIBSSL
 	assert(c->ssl_state.ssl);
-	if (s->SSLVerify) {
-		X509_VERIFY_PARAM *param = NULL;
-		param = SSL_get0_param(c->ssl_state.ssl);
-		X509_VERIFY_PARAM_set_hostflags(param,
-						X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
-		int err = X509_VERIFY_PARAM_set1_host(param, s->host, 0);
-		if (err != 1) {
-			Log(LOG_ERR,
-			    "Cannot set up hostname verification for '%s': %u",
-			    s->host, err);
-			return false;
-		}
+
+	X509_VERIFY_PARAM *param = SSL_get0_param(c->ssl_state.ssl);
+	X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
+	int err = X509_VERIFY_PARAM_set1_host(param, s->host, 0);
+	if (err != 1) {
+		Log(LOG_ERR,
+		    "Cannot set up hostname verification for '%s': %u",
+		    s->host, err);
+		return false;
+	}
+
+	if (s->SSLVerify)
 		SSL_set_verify(c->ssl_state.ssl, SSL_VERIFY_PEER,
 			       Verify_openssl);
-	} else
+	else
 		SSL_set_verify(c->ssl_state.ssl, SSL_VERIFY_NONE, NULL);
 #endif
+
 	return true;
 }