summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--content/fetchers/curl.c35
-rw-r--r--include/netsurf/ssl_certs.h2
-rw-r--r--resources/FatMessages2
-rw-r--r--utils/messages.c4
4 files changed, 23 insertions, 20 deletions
diff --git a/content/fetchers/curl.c b/content/fetchers/curl.c
index db41b32cb..50c5d6473 100644
--- a/content/fetchers/curl.c
+++ b/content/fetchers/curl.c
@@ -39,6 +39,7 @@
#include <time.h>
#include <sys/stat.h>
#include <openssl/ssl.h>
+#include <openssl/x509v3.h>
#include <libwapcaplet/libwapcaplet.h>
#include <nsutils/time.h>
@@ -594,6 +595,9 @@ fetch_curl_report_certs_upstream(struct curl_fetch_info *f)
case X509_V_ERR_CERT_REVOKED:
ssl_certs[depth].err = SSL_CERT_ERR_REVOKED;
break;
+ case X509_V_ERR_HOSTNAME_MISMATCH:
+ ssl_certs[depth].err = SSL_CERT_ERR_HOSTNAME_MISMATCH;
+ break;
default:
ssl_certs[depth].err = SSL_CERT_ERR_UNKNOWN;
break;
@@ -689,9 +693,20 @@ static int fetch_curl_cert_verify_callback(X509_STORE_CTX *x509_ctx, void *parm)
{
struct curl_fetch_info *f = (struct curl_fetch_info *) parm;
int ok;
+ X509_VERIFY_PARAM *vparam;
+
+ /* Configure the verification parameters to include hostname */
+ vparam = X509_STORE_CTX_get0_param(x509_ctx);
+ X509_VERIFY_PARAM_set_hostflags(vparam, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
+
+ ok = X509_VERIFY_PARAM_set1_host(vparam,
+ lwc_string_data(f->host),
+ lwc_string_length(f->host));
/* Store fetch struct in context for verify callback */
- ok = X509_STORE_CTX_set_app_data(x509_ctx, parm);
+ if (ok) {
+ ok = X509_STORE_CTX_set_app_data(x509_ctx, parm);
+ }
/* verify the certificate chain using standard call */
if (ok) {
@@ -1181,21 +1196,9 @@ static void fetch_curl_done(CURL *curl_handle, CURLcode result)
;
} else if (result == CURLE_SSL_PEER_CERTIFICATE ||
result == CURLE_SSL_CACERT) {
- /*
- * curl in 7.63.0 (https://github.com/curl/curl/pull/3291)
- * unified *all* SSL errors into the single
- * CURLE_PEER_FAILED_VERIFICATION depricating
- * CURLE_SSL_PEER_CERTIFICATE and CURLE_SSL_CACERT
- *
- * This change complete removed the ability to
- * distinguish between certificate errors, host
- * verification errors or any other failure reason
- * using the curl result code.
- *
- * The result is when certificate error message is
- * sent there is currently no way of informing the
- * llcache about host verification faliures as the
- * certificate chain has no error codes set.
+ /* Some kind of failure has occurred. If we don't know
+ * what happened, we'll have reported unknown errors up
+ * to the user already via the certificate chain error fields.
*/
cert = true;
} else {
diff --git a/include/netsurf/ssl_certs.h b/include/netsurf/ssl_certs.h
index c77c2996d..7e933b10c 100644
--- a/include/netsurf/ssl_certs.h
+++ b/include/netsurf/ssl_certs.h
@@ -38,7 +38,7 @@ typedef enum {
SSL_CERT_ERR_SELF_SIGNED, /**< This certificate (or the chain) is self signed */
SSL_CERT_ERR_CHAIN_SELF_SIGNED, /**< This certificate chain is self signed */
SSL_CERT_ERR_REVOKED, /**< This certificate has been revoked */
- SSL_CERT_ERR_COMMON_NAME, /**< This certificate host did not match teh server */
+ SSL_CERT_ERR_HOSTNAME_MISMATCH, /**< This certificate host did not match the server */
} ssl_cert_err;
/**
diff --git a/resources/FatMessages b/resources/FatMessages
index 7dd39700b..54c69b8a5 100644
--- a/resources/FatMessages
+++ b/resources/FatMessages
@@ -1076,7 +1076,7 @@ en.all.SSLCertErrTooOld:The certificate has expired.
en.all.SSLCertErrSelfSigned:The certificate is self signed.
en.all.SSLCertErrChainSelfSigned:The certificate chain is self signed.
en.all.SSLCertErrRevoked:The certificate has been revoked by the issuer.
-en.all.SSLCertErrCommonName:The certificate is for a different host than the server
+en.all.SSLCertErrHostnameMismatch:The certificate is for a different host than the server
# SSL certificate viewer
diff --git a/utils/messages.c b/utils/messages.c
index c4a7959cf..0d2085c08 100644
--- a/utils/messages.c
+++ b/utils/messages.c
@@ -383,9 +383,9 @@ const char *messages_get_sslcode(ssl_cert_err code)
/* This certificate has been revoked */
return messages_get_ctx("SSLCertErrRevoked", messages_hash);
- case SSL_CERT_ERR_COMMON_NAME:
+ case SSL_CERT_ERR_HOSTNAME_MISMATCH:
/* Common name is invalid */
- return messages_get_ctx("SSLCertErrCommonName", messages_hash);
+ return messages_get_ctx("SSLCertErrHostnameMismatch", messages_hash);
}