[ipxe-devel] Wildcard HTTPS cert support.
Nicolas Sylvain
nsylvain at gmail.com
Wed Aug 28 21:50:37 UTC 2013
Hello,
I'm trying to fetch an image off a Google App Engine app. (Hosted on
appspot.com).
My script running :
imgfetch https://nsylvainoauth.appspot.com/test
This is failing because :
"server name incorrect (expected *.appspot.com, got nsylvainoauth.appsot.com
)"
I made a small change to actually add basic wildcard support to get
unstuck. It only works for cases like this one (leading wildcard).
Here's the patch if anyone is interested.
--- a/src/net/tls.c
+++ b/src/net/tls.c
@@ -2456,10 +2456,25 @@ static void tls_validator_done ( struct
tls_session *tls, int rc ) {
/* Verify server name */
if ( ( cert->subject.name == NULL ) ||
( strcmp ( cert->subject.name, tls->name ) != 0 ) ) {
- DBGC ( tls, "TLS %p server name incorrect (expected %s, got "
- "%s)\n", tls, tls->name, cert->subject.name );
- rc = -EACCES_WRONG_NAME;
- goto err;
+ if ( cert->subject.name[0] == '*' ) {
+ char * subject_name = cert->subject.name + 1;
+ int subject_name_len = strlen(subject_name);
+ int host_name_len = strlen(tls->name);
+ if ( ( host_name_len < subject_name_len ||
+ ( strcmp( tls->name + host_name_len -
subject_name_len,
+ subject_name ) ) != 0 ) ) {
+ DBGC ( tls, "TLS %p wildcard server
name incorrect "
+ "(%s does not end with %s)\n",
tls, tls->name,
+ subject_name);
+ rc = -EACCES_WRONG_NAME;
+ goto err;
+ }
+ } else {
+ DBGC ( tls, "TLS %p server name incorrect
(expected %s, got "
+ "%s)\n", tls, tls->name, cert->subject.name );
+ rc = -EACCES_WRONG_NAME;
+ goto err;
+ }
}
Now it's actually failing about 50% of the time trying to do the OCSP
checks.. but I'll start another thread for this one.
Thanks
Nicolas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ipxe.org/pipermail/ipxe-devel/attachments/20130828/1eb267d1/attachment.htm>
More information about the ipxe-devel
mailing list