3 Commits

Author SHA1 Message Date
Patrick Pelletier
4db9da6bbf pull in wildcard matching code from cURL
Now, https-client accepts both:

https://ip.appspot.com/ (matching wildcard certificate)
https://github.com/     (matching non-wildcard certificate)

but still rejects

https://www.kegel.com/  (non-matching wildcard certificate)

which should match the behavior of these sites in a web browser.
2013-02-27 21:22:03 -08:00
Patrick Pelletier
6021cb5027 avoid sign mismatch warning in openssl_hostname_validation.c
sample/openssl_hostname_validation.c: In function 'matches_common_name':
sample/openssl_hostname_validation.c:80: warning: comparison between signed and unsigned integer expressions
sample/openssl_hostname_validation.c: In function 'matches_subject_alternative_name':
sample/openssl_hostname_validation.c:124: warning: comparison between signed and unsigned integer expressions
2013-02-27 21:22:03 -08:00
Patrick Pelletier
64d9f161fe use iSECPartners code to validate hostname in certificate
The problem is that if you go to a website whose certificate does not
match its hostname, it should fail.  Try this in a web browser for
https://www.kegel.com/ for example.  Your web browser will say the
certificate is for *.pair.com, not for www.kegel.com, and won't let
you visit it without clicking through a bunch of scary warnings.

However, prior to this commit, https-client was happy to fetch
https://www.kegel.com/ without complaining.  That is bad.  Now, with
this commit, it will properly complain, which is good:

pelletier@chives:~/src/libevent/sample$ ./https-client https://www.kegel.com/
Got 'MatchNotFound' for hostname 'www.kegel.com' and certificate:
/C=US/postalCode=15203/ST=Pennsylvania/L=Pittsburgh/street=Suite 210/street=2403 Sidney Street/O=pair Networks, Inc./OU=Provided by pair Networks, Inc./OU=PairWildcardSSL $250,000/CN=*.pair.com
some request failed - no idea which one though!
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
ppelletier@chives:~/src/libevent/sample$

It will still succeed for sites with an exactly-matching certificate,
such as https://github.com/ and that is also good!

However, the problem is that the iSECPartners code doesn't handle
wildcards, which means we reject https://ip.appspot.com/ even though
it is perfectly legitimate, because we don't understand the wildcard:

ppelletier@chives:~/src/libevent/sample$ ./https-client https://ip.appspot.com/
Got 'MatchNotFound' for hostname 'ip.appspot.com' and certificate:
/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.appspot.com
some request failed - no idea which one though!
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
ppelletier@chives:~/src/libevent/sample$

So, we need to fix this.  In other words, "to be continued..."
2013-02-27 21:22:03 -08:00