Hrvoje Niksic <hniksic@xxxxxxxxxx> writes:
> Specifically I am interested in the correctness of the code that
> loads the client certificates and checks for server certificates.
Here is the thing we definitely miss: Wget doesn't contain code that
checks the host identity presented by the server's certificate against
the host name input by the user. Given that OpenSSL is never given
the perceived host name, I don't see how it can perform that check
automatically. For example, the OpenSSL example at
http://tinyurl.com/7qavu includes this:
/* Check that the common name matches the host name*/
void check_cert(SSL *ssl, char *host)
{
X509 *peer;
char peer_CN[256];
if(SSL_get_verify_result(ssl)!=X509_V_OK)
berr_exit("Certificate doesn't verify");
/* Check the cert chain. The chain length is automatically checked
by OpenSSL when we set the verify depth in the ctx */
/*Check the common name*/
peer=SSL_get_peer_certificate(ssl);
X509_NAME_get_text_by_NID
(X509_get_subject_name(peer),
NID_commonName, peer_CN, 256);
if(strcasecmp(peer_CN,host))
err_exit
("Common name doesn't match host name");
}
curl contains much more elaborate code in ssluse.c:verifyhost().
Although I'm not sure Wget requires an exact replica of curl's logic,
*some* check seems necessary for, especially since we claim to verify
the server's certificate by default.
|
| 
