www/apache
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2025-08-08 15:02:10 +03:00
Code Activity

move server cert checking into generic ssl_check_public_cert function.

Browse Source 
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@94252 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Doug MacEachern
2002-03-28 01:32:41 +00:00
parent 832f28d371
commit 886376b4cb
1 changed files with 61 additions and 53 deletions
Download Patch File Download Diff File Expand all files Collapse all files

114
modules/ssl/ssl_engine_init.c
View File

@@ -660,6 +660,66 @@ static void ssl_init_cert_chain(server_rec *s,
n, n == 1 ? "" : "s"); n, n == 1 ? "" : "s");
} }
static void ssl_check_public_cert(server_rec *s,
apr_pool_t *ptemp,
X509 *cert,
int type)
{
int is_ca, pathlen;
char *cn;
if (!cert) {
return;
}
/*
* Some information about the certificate(s)
*/
if (SSL_X509_isSGC(cert)) {
ssl_log(s, SSL_LOG_INFO|SSL_INIT,
"%s server certificate enables "
"Server Gated Cryptography (SGC)",
ssl_asn1_keystr(type));
}
if (SSL_X509_getBC(cert, &is_ca, &pathlen)) {
if (is_ca) {
ssl_log(s, SSL_LOG_WARN|SSL_INIT,
"%s server certificate is a CA certificate "
"(BasicConstraints: CA == TRUE !?)",
ssl_asn1_keystr(type));
}
if (pathlen > 0) {
ssl_log(s, SSL_LOG_WARN|SSL_INIT,
"%s server certificate is not a leaf certificate "
"(BasicConstraints: pathlen == %d > 0 !?)",
ssl_asn1_keystr(type), pathlen);
}
}
if (SSL_X509_getCN(ptemp, cert, &cn)) {
int fnm_flags = FNM_PERIOD|FNM_CASE_BLIND;
if (apr_is_fnmatch(cn) &&
(apr_fnmatch(cn, s->server_hostname,
fnm_flags) == FNM_NOMATCH))
{
ssl_log(s, SSL_LOG_WARN|SSL_INIT,
"%s server certificate wildcard CommonName (CN) `%s' "
"does NOT match server name!?",
ssl_asn1_keystr(type), cn);
}
else if (strNE(s->server_hostname, cn)) {
ssl_log(s, SSL_LOG_WARN|SSL_INIT,
"%s server certificate CommonName (CN) `%s' "
"does NOT match server name!?",
ssl_asn1_keystr(type), cn);
}
}
}
/* /*
* Configure a particular server * Configure a particular server
*/ */
@@ -669,7 +729,6 @@ void ssl_init_ConfigureServer(server_rec *s,
SSLSrvConfigRec *sc) SSLSrvConfigRec *sc)
{ {
SSLModConfigRec *mc = myModConfig(s); SSLModConfigRec *mc = myModConfig(s);
char *cp;
const char *rsa_id, *dsa_id; const char *rsa_id, *dsa_id;
const char *vhost_id = sc->szVHostID; const char *vhost_id = sc->szVHostID;
EVP_PKEY *pkey; EVP_PKEY *pkey;
@@ -677,7 +736,6 @@ void ssl_init_ConfigureServer(server_rec *s,
ssl_asn1_t *asn1; ssl_asn1_t *asn1;
unsigned char *ptr; unsigned char *ptr;
BOOL ok = FALSE; BOOL ok = FALSE;
int is_ca, pathlen;
int i; int i;
ssl_init_check_server(s, p, ptemp, sc); ssl_init_check_server(s, p, ptemp, sc);
@@ -761,58 +819,8 @@ void ssl_init_ConfigureServer(server_rec *s,
ssl_die(); ssl_die();
} }
/*
* Some information about the certificate(s)
*/
for (i = 0; i < SSL_AIDX_MAX; i++) { for (i = 0; i < SSL_AIDX_MAX; i++) {
if (sc->pPublicCert[i]) { ssl_check_public_cert(s, ptemp, sc->pPublicCert[i], i);
if (SSL_X509_isSGC(sc->pPublicCert[i])) {
ssl_log(s, SSL_LOG_INFO|SSL_INIT,
"%s server certificate enables "
"Server Gated Cryptography (SGC)",
ssl_asn1_keystr(i));
}
if (SSL_X509_getBC(sc->pPublicCert[i], &is_ca, &pathlen)) {
if (is_ca) {
ssl_log(s, SSL_LOG_WARN|SSL_INIT,
"%s server certificate "
"is a CA certificate "
"(BasicConstraints: CA == TRUE !?)",
ssl_asn1_keystr(i));
}
if (pathlen > 0) {
ssl_log(s, SSL_LOG_WARN|SSL_INIT,
"%s server certificate "
"is not a leaf certificate "
"(BasicConstraints: pathlen == %d > 0 !?)",
ssl_asn1_keystr(i), pathlen);
}
}
if (SSL_X509_getCN(p, sc->pPublicCert[i], &cp)) {
int fnm_flags = FNM_PERIOD|FNM_CASE_BLIND;
if (apr_is_fnmatch(cp) &&
(apr_fnmatch(cp, s->server_hostname,
fnm_flags) == FNM_NOMATCH))
{
ssl_log(s, SSL_LOG_WARN|SSL_INIT,
"%s server certificate "
"wildcard CommonName (CN) `%s' "
"does NOT match server name!?",
ssl_asn1_keystr(i), cp);
}
else if (strNE(s->server_hostname, cp)) {
ssl_log(s, SSL_LOG_WARN|SSL_INIT,
"%s server certificate "
"CommonName (CN) `%s' "
"does NOT match server name!?",
ssl_asn1_keystr(i), cp);
}
}
}
} }
/* /*