From e4b7111577b6fc746d9784bafcc46ca36cd5e61b Mon Sep 17 00:00:00 2001 From: Gunnar Beutner Date: Tue, 19 Jan 2016 16:24:12 +0100 Subject: [PATCH] Check the certificate name when reconnecting to an instance refs #10963 --- lib/base/tlsstream.cpp | 14 +++++++++----- lib/base/tlsstream.hpp | 2 ++ lib/remote/apilistener.cpp | 6 ++++++ 3 files changed, 17 insertions(+), 5 deletions(-) diff --git a/lib/base/tlsstream.cpp b/lib/base/tlsstream.cpp index 55d97eb1e..f9b63864a 100644 --- a/lib/base/tlsstream.cpp +++ b/lib/base/tlsstream.cpp @@ -85,7 +85,7 @@ TlsStream::TlsStream(const Socket::Ptr& socket, const String& hostname, Connecti TlsStream::~TlsStream(void) { - Close(); + CloseInternal(true); } int TlsStream::ValidateCertificate(int preverify_ok, X509_STORE_CTX *ctx) @@ -310,17 +310,21 @@ void TlsStream::Shutdown(void) */ void TlsStream::Close(void) { - if (!m_Eof) { + CloseInternal(false); +} + +void TlsStream::CloseInternal(bool inDestructor) +{ + if (!m_Eof && !inDestructor) { m_Eof = true; SignalDataAvailable(); } - Stream::Close(); - SocketEvents::Unregister(); - boost::mutex::scoped_lock lock(m_Mutex); + Stream::Close(); + boost::mutex::scoped_lock lock(m_Mutex); if (!m_SSL) return; diff --git a/lib/base/tlsstream.hpp b/lib/base/tlsstream.hpp index ff482fa1f..132f66784 100644 --- a/lib/base/tlsstream.hpp +++ b/lib/base/tlsstream.hpp @@ -99,6 +99,8 @@ private: static int ValidateCertificate(int preverify_ok, X509_STORE_CTX *ctx); static void NullCertificateDeleter(X509 *certificate); + + void CloseInternal(bool inDestructor); }; } diff --git a/lib/remote/apilistener.cpp b/lib/remote/apilistener.cpp index bc49a2f30..b207587a3 100644 --- a/lib/remote/apilistener.cpp +++ b/lib/remote/apilistener.cpp @@ -321,6 +321,12 @@ void ApiListener::NewClientHandlerInternal(const Socket::Ptr& client, const Stri return; } + if (!hostname.IsEmpty() && identity != hostname) { + Log(LogInformation, "ApiListener") + << "Unexpected certificate common name while connecting to endpoint '" << hostname << "': got '" << identity << "'"; + return; + } + verify_ok = tlsStream->IsVerifyOK(); Log(LogInformation, "ApiListener")