gfwleak/tango-tfe
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

使用X509_check_host单独处理CN/SAN匹配的校验,忽略verify_callback中域名不匹配的错误。

Browse Source
This commit is contained in:
zhengchao
2019-06-18 15:53:06 +08:00
parent 1c07da8f82
commit cb95cef46d
1 changed files with 5 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
platform/src/ssl_trusted_cert_storage.cpp
View File

@@ -323,6 +323,11 @@ static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
case X509_V_ERR_CRL_HAS_EXPIRED:
ret=1;
break;
case X509_V_ERR_HOSTNAME_MISMATCH:
case X509_V_ERR_EMAIL_MISMATCH:
case X509_V_ERR_IP_ADDRESS_MISMATCH:
ret=1; //host match is verfied via X509_check_host
break;
default:
ret=0;
break;