torsdag 3 november 2016 kl. 00:23:37 CET skrev Sebastian Andrzej Siewior: > On 2016-09-12 17:00:28 [+0200], Kurt Roeckx wrote: > > > But this problem existed before 1.1.0 support (this patch). > > > What do you recommend here? The builtin usage > > > (X509_VERIFY_PARAM_set_hostflags()) looks simple. The alternative > > > X509_check_host() is 1.0.2+ and since it can not be applied to stable I > > > don't see the point. I would add this for 1.1.0 and keep the current > > > validation for < 1.1.0. > > > > We don't want to upload this to Debian stable in any case. But if > > it's only doing the right thing with 1.1.0 that works for me. > > So I've been looking at this again. The patch attached should do what > you asked for. It is so untested that EA is already using it…
I'm thinking we can and should keep using CTX functions (e.g. SSL_CTX_get0_param()), which minimizes the amount of changes. And your cert_verify() seems to essentially do the same things as the existing ssl_open_verify(). > Ehm. One thing: The callback that uw-imap invokes > scq(err_str_cpy, "hostname", cert_subj) > > expects to pass the hostname of the connection. I have no idea how to > obtain it at that point. ssl_start_work() puts it in a static variable that ssl_open_verify() reads. I have tested my patch to the extent that I get a validation error when I use "mailutil check" with an IP address, but not when I use the hostname. I haven't tested all kinds of SAN shenanigans, but I suppose we can trust OpenSSL here. The error message is of course different since we rely on the built-in validation routine instead of our ssl_validate_cert(). -- Magnus Holmgren holmg...@debian.org Debian Developer
--- a/src/osdep/unix/ssl_unix.c
+++ b/src/osdep/unix/ssl_unix.c
@@ -227,8 +227,16 @@ static char *ssl_start_work (SSLSTREAM *
/* disable certificate validation? */
if (flags & NET_NOVALIDATECERT)
SSL_CTX_set_verify (stream->context,SSL_VERIFY_NONE,NIL);
- else SSL_CTX_set_verify (stream->context,SSL_VERIFY_PEER,ssl_open_verify);
+ else {
+#if OPENSSL_VERSION_NUMBER >= 0x10100000
+ X509_VERIFY_PARAM *param = SSL_CTX_get0_param(stream->context);
+ X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
+ X509_VERIFY_PARAM_set1_host(param, host, 0);
+#endif
+
+ SSL_CTX_set_verify (stream->context,SSL_VERIFY_PEER,ssl_open_verify);
/* set default paths to CAs... */
+ }
SSL_CTX_set_default_verify_paths (stream->context);
/* ...unless a non-standard path desired */
if (s = (char *) mail_parameters (NIL,GET_SSLCAPATH,NIL))
@@ -266,6 +274,7 @@ static char *ssl_start_work (SSLSTREAM *
if (SSL_write (stream->con,"",0) < 0)
return ssl_last_error ? ssl_last_error : "SSL negotiation failed";
/* need to validate host names? */
+#if OPENSSL_VERSION_NUMBER < 0x10100000
if (!(flags & NET_NOVALIDATECERT) &&
(err = ssl_validate_cert (cert = SSL_get_peer_certificate (stream->con),
host))) {
@@ -275,6 +284,7 @@ static char *ssl_start_work (SSLSTREAM *
sprintf (tmp,"*%.128s: %.255s",err,cert ? cert->name : "???");
return ssl_last_error = cpystr (tmp);
}
+#endif
return NIL;
}
@@ -312,7 +322,7 @@ static int ssl_open_verify (int ok,X509_
* host to validate against
* Returns: NIL if validated, else string of error message
*/
-
+#if OPENSSL_VERSION_NUMBER < 0x10100000
static char *ssl_validate_cert (X509 *cert,char *host)
{
int i,n;
@@ -342,6 +352,7 @@ static char *ssl_validate_cert (X509 *ce
else ret = "Unable to locate common name in certificate";
return ret;
}
+#endif
/* Case-independent wildcard pattern match
* Accepts: base string
signature.asc
Description: This is a digitally signed message part.
