(openoffice) 07/12: Allow our WebDAV content provider to connect when the TLS certificate name doesn't match the server's host name.

Sat, 27 Apr 2024 09:32:18 -0700 

This is an automated email from the ASF dual-hosted git repository.

ardovm pushed a commit to branch AOO42X
in repository https://gitbox.apache.org/repos/asf/openoffice.git

commit e8e5910fd829cec3704a0277212c2973aa68e08f
Author: Damjan Jovanovic <dam...@apache.org>
AuthorDate: Tue Feb 6 07:29:29 2024 +0200

    Allow our WebDAV content provider to connect when the TLS certificate name
    doesn't match the server's host name.
    
    Currently in such cases the connection always fails, and the user isn't even
    given a chance to allow it. This is because Curl does the server name
    validation itself. However we already have code to validate server names,
    and we prompt the user for what to do, unlike Curl which always fails.
    Therefore disable Curl's verification and use ours.
    
    Patch by: me
    
    (cherry picked from commit 88ba7bc95f387996e4041aab9f586786362ea8da)
---
 main/ucb/source/ucp/webdav/CurlSession.cxx | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/main/ucb/source/ucp/webdav/CurlSession.cxx 
b/main/ucb/source/ucp/webdav/CurlSession.cxx
index bf6494233f..73328b78d5 100644
--- a/main/ucb/source/ucp/webdav/CurlSession.cxx
+++ b/main/ucb/source/ucp/webdav/CurlSession.cxx
@@ -113,6 +113,17 @@ CurlSession::CurlSession(
     curl_easy_setopt( m_pCurl, CURLOPT_SSL_CTX_FUNCTION, 
Curl_SSLContextCallback );
     curl_easy_setopt( m_pCurl, CURLOPT_SSL_CTX_DATA, this );
 
+    // If a certificate's commmon name / alt name doesn't match the hostname 
we are
+    // connecting to, Curl will refuse to connect. Disable this, as we do that 
check
+    // ourselves, and give the user the option of connecting anyway.
+    //
+    // Note also, how "man CURLOPT_SSL_VERIFYHOST" tells us that setting 0 here
+    // disables SNI, which is bad news, some servers require SNI. However 
reading Curl
+    // 8.6.0's Curl_ssl_peer_init() in file lib/vtls/vtls.c shows that SNI is 
sent
+    // regardless, as long as we are connecting to a domain name, NOT an IP 
address.
+    // Tests confirm this. For OpenSSL anyway - other Curl crypto providers 
are stricter...
+    curl_easy_setopt( m_pCurl, CURLOPT_SSL_VERIFYHOST, 0 );
+
     if ( m_aLogger.getLogLevel() == LogLevel::FINEST )
     {
         curl_easy_setopt( m_pCurl, CURLOPT_DEBUGFUNCTION, Curl_DebugCallback );

Reply via email to