From 159a1a923daef6fc90faf11ccf03dfefdd473f46 Mon Sep 17 00:00:00 2001 From: hniksic Date: Tue, 10 May 2005 14:16:00 -0700 Subject: [PATCH] [svn] Print certificate subject and issuer. --- src/ChangeLog | 5 +++++ src/openssl.c | 49 +++++++++++++++++++++++++++++++++++-------------- 2 files changed, 40 insertions(+), 14 deletions(-) diff --git a/src/ChangeLog b/src/ChangeLog index 41bca9f4..addf4db6 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -1,3 +1,8 @@ +2005-05-10 Hrvoje Niksic + + * openssl.c (ssl_check_server_identity): Print certificate subject + and issuer. + 2005-05-10 Hrvoje Niksic * res.c (res_register_specs): Correctly pass pointers to diff --git a/src/openssl.c b/src/openssl.c index 023f79c9..6f8ed4a5 100644 --- a/src/openssl.c +++ b/src/openssl.c @@ -41,12 +41,9 @@ so, delete this exception statement from your version. */ # include #endif -#include -#include -#include #include +#include #include -#include #include #include "wget.h" @@ -361,7 +358,7 @@ ssl_connect (int fd) int ssl_check_server_identity (int fd, const char *host) { - X509 *peer = NULL; + X509 *peer_cert = NULL; char peer_CN[256]; long vresult; int retval; @@ -373,8 +370,8 @@ ssl_check_server_identity (int fd, const char *host) SSL *ssl = (SSL *) fd_transport_context (fd); assert (ssl != NULL); - peer = SSL_get_peer_certificate (ssl); - if (!peer) + peer_cert = SSL_get_peer_certificate (ssl); + if (!peer_cert) { logprintf (LOG_NOTQUIET, _("%s: No certificate presented by %s.\n"), severity, escnonprint (host)); @@ -382,6 +379,18 @@ ssl_check_server_identity (int fd, const char *host) goto out; } +#ifdef ENABLE_DEBUG + if (opt.debug) + { + char *subject = X509_NAME_oneline (X509_get_subject_name (peer_cert), 0, 0); + char *issuer = X509_NAME_oneline (X509_get_issuer_name (peer_cert), 0, 0); + DEBUGP (("certificate:\n subject: %s\n issuer: %s\n", + escnonprint (subject), escnonprint (issuer))); + OPENSSL_free (subject); + OPENSSL_free (issuer); + } +#endif + vresult = SSL_get_verify_result (ssl); if (vresult != X509_V_OK) { @@ -393,14 +402,26 @@ ssl_check_server_identity (int fd, const char *host) goto out; } - /* Check that the common name matches HOST. + /* Check that the common name in the presented certificate matches + HOST. This is a very simple implementation that should be + improved in the following ways: + + 1. It should use dNSName if available; according to rfc2818: "If + a subjectAltName extension of type dNSName is present, that + MUST be used as the identity." Ditto for iPAddress. + + 2. It should support the wildcard character "*". Quoting + rfc2818, "Names may contain the wildcard character * which is + considered to match any single domain name component or + component fragment. E.g., *.a.com matches foo.a.com but not + bar.foo.a.com. f*.com matches foo.com but not bar.com." - #### This should use dNSName if available; according to rfc2818: - "If a subjectAltName extension of type dNSName is present, that - MUST be used as the identity." */ + 3. When matching against common names, it should loop over all + common names and choose the most specific (apparently the last + one). */ peer_CN[0] = '\0'; - X509_NAME_get_text_by_NID (X509_get_subject_name (peer), + X509_NAME_get_text_by_NID (X509_get_subject_name (peer_cert), NID_commonName, peer_CN, sizeof (peer_CN)); if (0 != strcasecmp (peer_CN, host)) { @@ -415,8 +436,8 @@ ssl_check_server_identity (int fd, const char *host) retval = 1; out: - if (peer) - X509_free (peer); + if (peer_cert) + X509_free (peer_cert); /* Allow --no-check-cert to disable certificate checking. */ return opt.check_cert ? retval : 1; -- 2.39.2