Download | Plain Text | Line Numbers
--- a/config.c 2015-01-26 17:47:53.000000000 +0100
+++ b/config.c 2015-11-18 18:20:16.431223194 +0100
@@ -889,6 +889,25 @@
}
#ifdef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
+/*
+ * Basic wildcard matching
+ * replace with X509_check_host at some point in the future
+ * beware of https://rt.openssl.org/Ticket/Display.html?id=3288
+ */
+static int
+SNI_match_name(const char *pattern, const char *name)
+{
+ short is_wildcard;
+ const char *cp;
+
+ /* easy wildcard checking - check left-most DNS label only */
+ is_wildcard = (pattern[0] == '*' && pattern[1] == '.');
+ if (is_wildcard)
+ return ((cp = strchr(name, '.')) != NULL && strcasecmp(pattern+1, cp) == 0);
+ else
+ return (strcasecmp(pattern, name) == 0);
+}
+
static int
SNI_server_name(SSL *ssl, int *dummy, POUND_CTX *ctx)
{
@@ -902,7 +922,7 @@
SSL_set_SSL_CTX(ssl, NULL);
for(pc = ctx; pc; pc = pc->next) {
- if(fnmatch(pc->server_name, server_name, 0) == 0) {
+ if(SNI_match_name(pc->server_name, server_name)) {
/* logmsg(LOG_DEBUG, "Found cert for %s", servername); */
SSL_set_SSL_CTX(ssl, pc->ctx);
return SSL_TLSEXT_ERR_OK;
@@ -911,7 +931,7 @@
int i;
for(i = 0; i < pc->subjectAltNameCount; i++) {
- if(fnmatch(pc->subjectAltNames[i], server_name, 0) == 0) {
+ if(SNI_match_name(pc->subjectAltNames[i], server_name)) {
SSL_set_SSL_CTX(ssl, pc->ctx);
return SSL_TLSEXT_ERR_OK;
}