Changeset 6bbc00a in mod_gnutls


Ignore:
Timestamp:
Mar 19, 2015, 11:40:40 AM (5 years ago)
Author:
Thomas Klute <thomas2.klute@…>
Branches:
debian/master, debian/stretch-backports, jessie-backports, master, upstream
Children:
dda3acf
Parents:
d8ae2a0
Message:

Check hostname of proxy back end server against certificate

Previously, the server certificate was only checked for validity. With
this commit, mod_gnutls gets the expected hostname from the note
"proxy-request-hostname" which should have been set by mod_proxy and
matches it against the server certificate.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • src/gnutls_hooks.c

    rd8ae2a0 r6bbc00a  
    16961696    unsigned int status;
    16971697
    1698     int err = gnutls_certificate_verify_peers3(session, NULL, &status);
     1698    /* Get peer hostname from a note left by mod_proxy */
     1699    const char *peer_hostname =
     1700        apr_table_get(ctxt->c->notes, "proxy-request-hostname");
     1701    if (peer_hostname == NULL)
     1702        ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, ctxt->c,
     1703                      "%s: proxy-request-hostname is NULL, cannot check "
     1704                      "peer's hostname", __func__);
     1705
     1706    /* Verify certificate, including hostname match. Should
     1707     * peer_hostname be NULL for some reason, the name is not
     1708     * checked. */
     1709    int err = gnutls_certificate_verify_peers3(session, peer_hostname,
     1710                                               &status);
    16991711    if (err != GNUTLS_E_SUCCESS)
    17001712    {
Note: See TracChangeset for help on using the changeset viewer.