ssl-verify-host: fix verifying ip addresses containing zero's (#732)

* ssl-verify-host: fix verifying ip addresses containing zero's If the subject alternate name contained an ip address with an zero (like 10.42.0.1) it could not successfully verify. It is because in c++ strings are null-terminated and therefore strlen(name) would return a wrong result. As I can not see why we can not trust the length returned by openssl, lets drop this check. * ssl-verify-host: add test case lets try to validate against 127.0.0.1 Co-authored-by: Daniel Ottiger <daniel.ottiger@ch.schindler.com>
2025-05-15 01:08:27 +00:00 · 2020-11-03 02:27:34 +01:00 · 2020-11-03 02:27:34 +01:00 · 6e1879dfae
commit 6e1879dfae
parent eb1d2e04bc
4 changed files with 37 additions and 9 deletions
--- a/test/test.cc
+++ b/test/test.cc
@ -7,6 +7,7 @@
 #include <thread>

 #define SERVER_CERT_FILE "./cert.pem"
+#define SERVER_CERT2_FILE "./cert2.pem"
 #define SERVER_PRIVATE_KEY_FILE "./key.pem"
 #define CA_CERT_FILE "./ca-bundle.crt"
 #define CLIENT_CA_CERT_FILE "./rootCA.cert.pem"
@ -3245,6 +3246,31 @@ TEST(SSLClientTest, ServerCertificateVerification3) {
  ASSERT_EQ(301, res->status);
 }

+TEST(SSLClientTest, ServerCertificateVerification4) {
+  SSLServer svr(SERVER_CERT2_FILE, SERVER_PRIVATE_KEY_FILE);
+  ASSERT_TRUE(svr.is_valid());
+
+  svr.Get("/test", [&](const Request &req, Response &res) {
+    res.set_content("test", "text/plain");
+    svr.stop();
+    ASSERT_TRUE(true);
+  });
+
+  thread t = thread([&]() { ASSERT_TRUE(svr.listen("127.0.0.1", PORT)); });
+  std::this_thread::sleep_for(std::chrono::milliseconds(1));
+
+  SSLClient cli("127.0.0.1", PORT);
+  cli.set_ca_cert_path(SERVER_CERT2_FILE);
+  cli.enable_server_certificate_verification(true);
+  cli.set_connection_timeout(30);
+
+  auto res = cli.Get("/test");
+  ASSERT_TRUE(res);
+  ASSERT_EQ(200, res->status);
+
+  t.join();
+}
+
 TEST(SSLClientTest, WildcardHostNameMatch) {
  SSLClient cli("www.youtube.com");