Skip to content

Commit

Permalink
tls/sni: do not enable client verification when SNI matching is done (#…
Browse files Browse the repository at this point in the history
…1172)

Currently, whenever a TLS handshake message is received and SNI
certificate matching is done, TLS peer verification is also enabled.
This ignores settings like verify_server and verify_client in the tls
struct and is not needed. Therefore, the call to explicitly enable peer
verification as part of SNI is removed.
  • Loading branch information
maximilianfridrich authored Jul 31, 2024
1 parent a64cb83 commit 133266f
Showing 1 changed file with 0 additions and 26 deletions.
26 changes: 0 additions & 26 deletions src/tls/openssl/sni.c
Original file line number Diff line number Diff line change
Expand Up @@ -135,30 +135,6 @@ struct tls_cert *tls_cert_for_sni(const struct tls *tls, const char *sni)
}


static int ssl_set_verify_client(SSL *ssl, const char *host)
{
struct sa sa;

if (!ssl || !host)
return EINVAL;

if (sa_set_str(&sa, host, 0)) {
SSL_set_hostflags(ssl,
X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);

if (!SSL_set1_host(ssl, host)) {
DEBUG_WARNING("SSL_set1_host error\n");
ERR_clear_error();
return EPROTO;
}
}

SSL_set_verify(ssl, SSL_VERIFY_PEER, tls_verify_handler);

return 0;
}


static int ssl_servername_handler(SSL *ssl, int *al, void *arg)
{
struct tls *tls = arg;
Expand All @@ -185,8 +161,6 @@ static int ssl_servername_handler(SSL *ssl, int *al, void *arg)
return SSL_TLSEXT_ERR_ALERT_FATAL;
}

(void)ssl_set_verify_client(ssl, tls_cert_host(uc));

return SSL_TLSEXT_ERR_OK;
}

Expand Down

0 comments on commit 133266f

Please sign in to comment.