Check the certificate name when reconnecting to an instance

refs #10963
2016-01-19 16:24:12 +01:00 · 2016-01-19 16:24:12 +01:00 · e4b7111577
parent b1aa6cc98a
commit e4b7111577
3 changed files with 17 additions and 5 deletions
--- a/lib/base/tlsstream.cpp
+++ b/lib/base/tlsstream.cpp
@ -85,7 +85,7 @@ TlsStream::TlsStream(const Socket::Ptr& socket, const String& hostname, Connecti

 TlsStream::~TlsStream(void)
 {
-	Close();
+	CloseInternal(true);
 }

 int TlsStream::ValidateCertificate(int preverify_ok, X509_STORE_CTX *ctx)
@ -310,17 +310,21 @@ void TlsStream::Shutdown(void)
 */
 void TlsStream::Close(void)
 {
-	if (!m_Eof) {
+	CloseInternal(false);
+}
+
+void TlsStream::CloseInternal(bool inDestructor)
+{
+	if (!m_Eof && !inDestructor) {
 		m_Eof = true;
 		SignalDataAvailable();
 	}

-	Stream::Close();
-
 	SocketEvents::Unregister();

-	boost::mutex::scoped_lock lock(m_Mutex);
+	Stream::Close();

+	boost::mutex::scoped_lock lock(m_Mutex);

 	if (!m_SSL)
 		return;
--- a/lib/base/tlsstream.hpp
+++ b/lib/base/tlsstream.hpp
@ -99,6 +99,8 @@ private:

 	static int ValidateCertificate(int preverify_ok, X509_STORE_CTX *ctx);
 	static void NullCertificateDeleter(X509 *certificate);
+
+	void CloseInternal(bool inDestructor);
 };

 }
--- a/lib/remote/apilistener.cpp
+++ b/lib/remote/apilistener.cpp
@ -321,6 +321,12 @@ void ApiListener::NewClientHandlerInternal(const Socket::Ptr& client, const Stri
 			return;
 		}

+		if (!hostname.IsEmpty() && identity != hostname) {
+			Log(LogInformation, "ApiListener")
+			    << "Unexpected certificate common name while connecting to endpoint '" << hostname << "': got '" << identity << "'";
+			return;
+		}
+
 		verify_ok = tlsStream->IsVerifyOK();

 		Log(LogInformation, "ApiListener")