(openoffice) branch trunk updated: Allow our WebDAV content provider to connect when the TLS certificate name doesn't match the server's host name.

Mon, 05 Feb 2024 21:32:47 -0800 

This is an automated email from the ASF dual-hosted git repository.

damjan pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/openoffice.git


The following commit(s) were added to refs/heads/trunk by this push:
     new 88ba7bc95f Allow our WebDAV content provider to connect when the TLS 
certificate name doesn't match the server's host name.
88ba7bc95f is described below

commit 88ba7bc95f387996e4041aab9f586786362ea8da
Author: Damjan Jovanovic <dam...@apache.org>
AuthorDate: Tue Feb 6 07:29:29 2024 +0200

    Allow our WebDAV content provider to connect when the TLS certificate name
    doesn't match the server's host name.
    
    Currently in such cases the connection always fails, and the user isn't even
    given a chance to allow it. This is because Curl does the server name
    validation itself. However we already have code to validate server names,
    and we prompt the user for what to do, unlike Curl which always fails.
    Therefore disable Curl's verification and use ours.
    
    Patch by: me
---
 main/ucb/source/ucp/webdav/CurlSession.cxx | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/main/ucb/source/ucp/webdav/CurlSession.cxx 
b/main/ucb/source/ucp/webdav/CurlSession.cxx
index bf6494233f..73328b78d5 100644
--- a/main/ucb/source/ucp/webdav/CurlSession.cxx
+++ b/main/ucb/source/ucp/webdav/CurlSession.cxx
@@ -113,6 +113,17 @@ CurlSession::CurlSession(
     curl_easy_setopt( m_pCurl, CURLOPT_SSL_CTX_FUNCTION, 
Curl_SSLContextCallback );
     curl_easy_setopt( m_pCurl, CURLOPT_SSL_CTX_DATA, this );
 
+    // If a certificate's commmon name / alt name doesn't match the hostname 
we are
+    // connecting to, Curl will refuse to connect. Disable this, as we do that 
check
+    // ourselves, and give the user the option of connecting anyway.
+    //
+    // Note also, how "man CURLOPT_SSL_VERIFYHOST" tells us that setting 0 here
+    // disables SNI, which is bad news, some servers require SNI. However 
reading Curl
+    // 8.6.0's Curl_ssl_peer_init() in file lib/vtls/vtls.c shows that SNI is 
sent
+    // regardless, as long as we are connecting to a domain name, NOT an IP 
address.
+    // Tests confirm this. For OpenSSL anyway - other Curl crypto providers 
are stricter...
+    curl_easy_setopt( m_pCurl, CURLOPT_SSL_VERIFYHOST, 0 );
+
     if ( m_aLogger.getLogLevel() == LogLevel::FINEST )
     {
         curl_easy_setopt( m_pCurl, CURLOPT_DEBUGFUNCTION, Curl_DebugCallback );

Reply via email to