summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTimo Teräs <timo.teras@iki.fi>2017-10-06 18:09:37 +0300
committerTimo Teräs <timo.teras@iki.fi>2017-10-06 18:09:37 +0300
commit0d814ba35b5e26eb9a42ea7a52521eca44306479 (patch)
tree156234c1d4b8e369c32e2b7460c34da84ab1a940
parenteb8f44d629aca3a780f7feedfee11794f14082ad (diff)
downloadapk-tools-0d814ba35b5e26eb9a42ea7a52521eca44306479.tar.gz
apk-tools-0d814ba35b5e26eb9a42ea7a52521eca44306479.tar.bz2
apk-tools-0d814ba35b5e26eb9a42ea7a52521eca44306479.tar.xz
apk-tools-0d814ba35b5e26eb9a42ea7a52521eca44306479.zip
libfetch: fix certificate host name check
OpenSSL allows passing zero-length to indicate "use strlen". LibreSSL requires using the real length always, so pass the length.
-rw-r--r--libfetch/common.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/libfetch/common.c b/libfetch/common.c
index 278c606..3bd8a53 100644
--- a/libfetch/common.c
+++ b/libfetch/common.c
@@ -541,7 +541,7 @@ fetch_ssl(conn_t *conn, const struct url *URL, int verbose)
if (getenv("SSL_NO_VERIFY_HOSTNAME") == NULL) {
if (verbose)
fetch_info("Verify hostname");
- if (X509_check_host(conn->ssl_cert, URL->host, 0,
+ if (X509_check_host(conn->ssl_cert, URL->host, strlen(URL->host),
X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS,
NULL) != 1) {
fprintf(stderr, "SSL certificate subject doesn't match host %s\n",