projects / exim.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Restrict certificate name checkin for wildcards.
[exim.git] / src / src / tls-openssl.c
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index bcca506e0011c034ce689bc550b22397f25b6fc6..9609d62526682e3647e5476e1393bb8de3d6f7db 100644 (file)
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -327,13 +327,25 @@ else
        /* client, wanting hostname check */
 
 # if OPENSSL_VERSION_NUMBER >= 0x010100000L || OPENSSL_VERSION_NUMBER >= 0x010002000L
+#  ifndef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
+#   define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0
+#  endif
     {
     int sep = 0;
     uschar * list = verify_cert_hostnames;
     uschar * name;
-    while (name = string_nextinlist(&list, &sep, NULL, 0))
-      if (X509_check_host(cert, name, 0, 0))
+    int rc;
+    while ((name = string_nextinlist(&list, &sep, NULL, 0)))
+      if ((rc = X509_check_host(cert, name, 0,
+                 X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS)))
+       {
+       if (rc < 0)
+         {
+         log_write(0, LOG_MAIN, "SSL verify error: internal error\n");
+         name = NULL;
+         }
        break;
+       }
     if (!name)
       {
       log_write(0, LOG_MAIN,
Unnamed repository; edit this file 'description' to name the repository.