From 0d814ba35b5e26eb9a42ea7a52521eca44306479 Mon Sep 17 00:00:00 2001 From: Timo Teräs Date: Fri, 6 Oct 2017 18:09:37 +0300 Subject: libfetch: fix certificate host name check OpenSSL allows passing zero-length to indicate "use strlen". LibreSSL requires using the real length always, so pass the length. --- libfetch/common.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libfetch/common.c b/libfetch/common.c index 278c606..3bd8a53 100644 --- a/libfetch/common.c +++ b/libfetch/common.c @@ -541,7 +541,7 @@ fetch_ssl(conn_t *conn, const struct url *URL, int verbose) if (getenv("SSL_NO_VERIFY_HOSTNAME") == NULL) { if (verbose) fetch_info("Verify hostname"); - if (X509_check_host(conn->ssl_cert, URL->host, 0, + if (X509_check_host(conn->ssl_cert, URL->host, strlen(URL->host), X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS, NULL) != 1) { fprintf(stderr, "SSL certificate subject doesn't match host %s\n", -- cgit v1.2.3-70-g09d2