mirror of
http://git.haproxy.org/git/haproxy.git/
synced 2024-12-13 23:14:46 +00:00
2ab88675ec
When support for passing SNI to the server was added in 1.6-dev3, there was no way to validate that the certificate presented by the server would really match the name requested in the SNI, which is quite a problem as it allows other (valid) certificates to be presented instead (when hitting the wrong server or due to a man in the middle). This patch adds the missing check against the value passed in the SNI. The "verifyhost" value keeps precedence if set. If no SNI is used and no verifyhost directive is specified, then the certificate name is not checked (this is unchanged). In order to extract the SNI value, it was necessary to make use of SSL_SESSION_get0_hostname(), which appeared in openssl 1.1.0. This is a trivial function which returns the value of s->tlsext_hostname, so it was provided in the compat layer for older versions. After some refinements from Emmanuel, it now builds with openssl 1.0.2, openssl 1.1.0 and boringssl. A test file was provided to ease testing all cases. After some careful observation period it may make sense to backport this to 1.7 and 1.6 as some users rightfully consider this limitation as a bug. Cc: Emmanuel Hocdet <manu@gandi.net> Signed-off-by: Willy Tarreau <w@1wt.eu> |
||
|---|---|---|
| .. | ||
| design-thoughts | ||
| internals | ||
| lua-api | ||
| 51Degrees-device-detection.txt | ||
| acl.fig | ||
| architecture.txt | ||
| close-options.txt | ||
| coding-style.txt | ||
| configuration.txt | ||
| cookie-options.txt | ||
| DeviceAtlas-device-detection.txt | ||
| gpl.txt | ||
| haproxy.1 | ||
| intro.txt | ||
| lgpl.txt | ||
| linux-syn-cookies.txt | ||
| lua.txt | ||
| management.txt | ||
| netscaler-client-ip-insertion-protocol.txt | ||
| network-namespaces.txt | ||
| proxy-protocol.txt | ||
| queuing.fig | ||
| SPOE.txt | ||
| WURFL-device-detection.txt | ||