/* SSL_VERIFY_NONE instructs OpenSSL not to abort SSL_connect if the
certificate is invalid. We verify the certificate separately in
- ssl_check_server_identity, which provides much better diagnostics
+ ssl_check_certificate, which provides much better diagnostics
than examining the error stack after a failed SSL_connect. */
SSL_CTX_set_verify (ssl_ctx, SSL_VERIFY_NONE, NULL);
return 0;
}
+#define ASTERISK_EXCLUDES_DOT /* mandated by rfc2818 */
+
/* Return 1 is STRING (case-insensitively) matches PATTERN, 0
otherwise. The recognized wildcard character is "*", which matches
any character in STRING except ".". Any number of the "*" wildcard
contain the wildcard character * which is considered to match any
single domain name component or component fragment. E.g., *.a.com
matches foo.a.com but not bar.foo.a.com. f*.com matches foo.com but
- not bar.com." */
+ not bar.com [or foo.bar.com]."
+
+ If the pattern contain no wildcards, pattern_match(a, b) is
+ equivalent to !strcasecmp(a, b). */
static int
pattern_match (const char *pattern, const char *string)
for (; *n != '\0'; n++)
if (TOLOWER (*n) == c && pattern_match (p, n))
return 1;
+#ifdef ASTERISK_EXCLUDES_DOT
else if (*n == '.')
return 0;
+#endif
return c == '\0';
}
else
goto out;
}
- /* Check that HOST matches the common name in the certificate. ####
- The remains to be done:
+ /* Check that HOST matches the common name in the certificate.
+ #### The following remains to be done:
- It should use dNSName/ipAddress subjectAltName extensions if
available; according to rfc2818: "If a subjectAltName extension