From b724035045f0f1f187ae910f2d33ebf764637397 Mon Sep 17 00:00:00 2001 From: Kern Sibbald Date: Sat, 26 Jul 2014 15:10:21 +0200 Subject: [PATCH] Jim Raney's TLS patch --- bacula/src/lib/tls.c | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/bacula/src/lib/tls.c b/bacula/src/lib/tls.c index 959a559246..32d4c756de 100644 --- a/bacula/src/lib/tls.c +++ b/bacula/src/lib/tls.c @@ -281,6 +281,7 @@ bool tls_postconnect_verify_host(JCR *jcr, TLS_CONNECTION *tls, const char *host bool auth_success = false; int extensions; int i, j; + const char *pval, *phost; int cnLastPos = -1; X509_NAME_ENTRY *neCN; @@ -351,7 +352,15 @@ bool tls_postconnect_verify_host(JCR *jcr, TLS_CONNECTION *tls, const char *host for (j = 0; j < sk_CONF_VALUE_num(val); j++) { nval = sk_CONF_VALUE_value(val, j); if (strcmp(nval->name, "DNS") == 0) { - if (strcasecmp(nval->value, host) == 0) { + if (strncasecmp(nval->value, "*.", 2) == 0) { + Dmsg0(250, "Wildcard Certificate\n"); + pval = strstr(nval->value, "."); + phost = strstr(host, "."); + if (pval && phost && (strcasecmp(pval, phost) == 0)) { + auth_success = true; + goto success; + } + } else if (strcasecmp(nval->value, host) == 0) { auth_success = true; goto success; } @@ -374,7 +383,16 @@ bool tls_postconnect_verify_host(JCR *jcr, TLS_CONNECTION *tls, const char *host } neCN = X509_NAME_get_entry(subject, cnLastPos); asn1CN = X509_NAME_ENTRY_get_data(neCN); - if (strcasecmp((const char*)asn1CN->data, host) == 0) { + if (strncasecmp((const char*)asn1CN->data, "*.", 2) == 0) { + /* wildcard certificate */ + Dmsg0(250, "Wildcard Certificate\n"); + pval = strstr((const char*)asn1CN->data, "."); + phost = strstr(host, "."); + if (pval && phost && (strcasecmp(pval, phost) == 0)) { + auth_success = true; + goto success; + } + } else if (strcasecmp((const char*)asn1CN->data, host) == 0) { auth_success = true; break; } -- 2.39.5