diff options
author | Emilia Kasper <emilia@openssl.org> | 2015-02-05 16:38:54 +0100 |
---|---|---|
committer | Emilia Kasper <emilia@openssl.org> | 2015-02-10 15:36:03 +0100 |
commit | 95929797a01eb4ad42694f1f848bdbb9decbcefe (patch) | |
tree | 56cf46001e6839c97bf5a172321afa23ea24e930 /apps | |
parent | bcfaa4eeee5bbb2ddf9545e41b62cbfc10ad60b0 (diff) |
Fix hostname validation in the command-line tool to honour negative return values.
Specifically, an ASN.1 NumericString in the certificate CN will fail UTF-8 conversion
and result in a negative return value, which the "x509 -checkhost" command-line option
incorrectly interpreted as success.
Also update X509_check_host docs to reflect reality.
Thanks to Sean Burford (Google) for reporting this issue.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 0923e7df9eafec6db9c75405d7085ec8581f01bd)
Diffstat (limited to 'apps')
-rw-r--r-- | apps/apps.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/apps/apps.c b/apps/apps.c index e6bb48f085..ef5d087eb6 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -2775,7 +2775,7 @@ void print_cert_checks(BIO *bio, X509 *x, return; if (checkhost) { BIO_printf(bio, "Hostname %s does%s match certificate\n", - checkhost, X509_check_host(x, checkhost, 0, 0, NULL) + checkhost, X509_check_host(x, checkhost, 0, 0, NULL) == 1 ? "" : " NOT"); } |