mirror of
https://github.com/moparisthebest/curl
synced 2024-12-22 08:08:50 -05:00
mbedtls/polarssl: set "hostname" unconditionally
...as otherwise the TLS libs will skip the CN/SAN check and just allow connection to any server. curl previously skipped this function when SNI wasn't used or when connecting to an IP address specified host. CVE-2016-3739 Bug: https://curl.haxx.se/docs/adv_20160518A.html Reported-by: Moti Avrahami
This commit is contained in:
parent
5db313985e
commit
6efd2fa529
@ -391,13 +391,12 @@ mbed_connect_step1(struct connectdata *conn,
|
|||||||
mbedtls_ssl_conf_own_cert(&connssl->config,
|
mbedtls_ssl_conf_own_cert(&connssl->config,
|
||||||
&connssl->clicert, &connssl->pk);
|
&connssl->clicert, &connssl->pk);
|
||||||
}
|
}
|
||||||
if(!Curl_inet_pton(AF_INET, conn->host.name, &addr) &&
|
if(mbedtls_ssl_set_hostname(&connssl->ssl, conn->host.name)) {
|
||||||
#ifdef ENABLE_IPV6
|
/* mbedtls_ssl_set_hostname() sets the name to use in CN/SAN checks *and*
|
||||||
!Curl_inet_pton(AF_INET6, conn->host.name, &addr) &&
|
the name to set in the SNI extension. So even if curl connects to a
|
||||||
#endif
|
host specified as an IP address, this function must be used. */
|
||||||
sni && mbedtls_ssl_set_hostname(&connssl->ssl, conn->host.name)) {
|
failf(data, "couldn't set hostname in mbedTLS");
|
||||||
infof(data, "WARNING: failed to configure "
|
return CURLE_SSL_CONNECT_ERROR;
|
||||||
"server name indication (SNI) TLS extension\n");
|
|
||||||
}
|
}
|
||||||
|
|
||||||
#ifdef HAS_ALPN
|
#ifdef HAS_ALPN
|
||||||
|
@ -354,13 +354,12 @@ polarssl_connect_step1(struct connectdata *conn,
|
|||||||
ssl_set_own_cert_rsa(&connssl->ssl,
|
ssl_set_own_cert_rsa(&connssl->ssl,
|
||||||
&connssl->clicert, &connssl->rsa);
|
&connssl->clicert, &connssl->rsa);
|
||||||
|
|
||||||
if(!Curl_inet_pton(AF_INET, conn->host.name, &addr) &&
|
if(ssl_set_hostname(&connssl->ssl, conn->host.name)) {
|
||||||
#ifdef ENABLE_IPV6
|
/* ssl_set_hostname() sets the name to use in CN/SAN checks *and* the name
|
||||||
!Curl_inet_pton(AF_INET6, conn->host.name, &addr) &&
|
to set in the SNI extension. So even if curl connects to a host
|
||||||
#endif
|
specified as an IP address, this function must be used. */
|
||||||
sni && ssl_set_hostname(&connssl->ssl, conn->host.name)) {
|
failf(data, "couldn't set hostname in PolarSSL");
|
||||||
infof(data, "WARNING: failed to configure "
|
return CURLE_SSL_CONNECT_ERROR;
|
||||||
"server name indication (SNI) TLS extension\n");
|
|
||||||
}
|
}
|
||||||
|
|
||||||
#ifdef HAS_ALPN
|
#ifdef HAS_ALPN
|
||||||
|
Loading…
Reference in New Issue
Block a user