Download | Plain Text | No Line Numbers
- --- a/config.c 2015-01-26 17:47:53.000000000 +0100
- +++ b/config.c 2015-11-18 18:20:16.431223194 +0100
- @@ -889,6 +889,25 @@
- }
-
- #ifdef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
- +/*
- + * Basic wildcard matching
- + * replace with X509_check_host at some point in the future
- + * beware of https://rt.openssl.org/Ticket/Display.html?id=3288
- + */
- +static int
- +SNI_match_name(const char *pattern, const char *name)
- +{
- + short is_wildcard;
- + const char *cp;
- +
- + /* easy wildcard checking - check left-most DNS label only */
- + is_wildcard = (pattern[0] == '*' && pattern[1] == '.');
- + if (is_wildcard)
- + return ((cp = strchr(name, '.')) != NULL && strcasecmp(pattern+1, cp) == 0);
- + else
- + return (strcasecmp(pattern, name) == 0);
- +}
- +
- static int
- SNI_server_name(SSL *ssl, int *dummy, POUND_CTX *ctx)
- {
- @@ -902,7 +922,7 @@
-
- SSL_set_SSL_CTX(ssl, NULL);
- for(pc = ctx; pc; pc = pc->next) {
- - if(fnmatch(pc->server_name, server_name, 0) == 0) {
- + if(SNI_match_name(pc->server_name, server_name)) {
- /* logmsg(LOG_DEBUG, "Found cert for %s", servername); */
- SSL_set_SSL_CTX(ssl, pc->ctx);
- return SSL_TLSEXT_ERR_OK;
- @@ -911,7 +931,7 @@
- int i;
-
- for(i = 0; i < pc->subjectAltNameCount; i++) {
- - if(fnmatch(pc->subjectAltNames[i], server_name, 0) == 0) {
- + if(SNI_match_name(pc->subjectAltNames[i], server_name)) {
- SSL_set_SSL_CTX(ssl, pc->ctx);
- return SSL_TLSEXT_ERR_OK;
- }
-