]> git.ipfire.org Git - thirdparty/gnutls.git/commitdiff
gnutls_x509_crt_check_hostname2: check CN for match only if certificate would have...
authorNikos Mavrogiannopoulos <nmav@redhat.com>
Thu, 26 Mar 2015 08:25:10 +0000 (09:25 +0100)
committerNikos Mavrogiannopoulos <nmav@redhat.com>
Thu, 26 Mar 2015 08:25:10 +0000 (09:25 +0100)
lib/x509/hostname-verify.c

index a9bca262a4a2b7e176e628e5b256849e3af3fa5b..62ad4fafa9f6fb234f4925bd6a21f04ae089b5d0 100644 (file)
@@ -165,7 +165,7 @@ gnutls_x509_crt_check_hostname2(gnutls_x509_crt_t cert,
        /* try matching against:
         *  1) a DNS name as an alternative name (subjectAltName) extension
         *     in the certificate
-        *  2) the common name (CN) in the certificate
+        *  2) the common name (CN) in the certificate, if the certificate is acceptable for TLS_WWW_SERVER purpose
         *
         *  either of these may be of the form: *.domain.tld
         *
@@ -208,8 +208,11 @@ gnutls_x509_crt_check_hostname2(gnutls_x509_crt_t cert,
                }
        }
 
-       if (!found_dnsname) {
-               /* did not get the necessary extension, use CN instead
+       if (!found_dnsname && _gnutls_check_key_purpose(cert, GNUTLS_KP_TLS_WWW_SERVER, 0) != 0) {
+               /* did not get the necessary extension, use CN instead, if the
+                * certificate would have been acceptable for a TLS WWW server purpose.
+                * That is because only for that purpose the CN is a valid field to
+                * store the hostname.
                 */
 
                /* enforce the RFC6125 (ยง1.8) requirement that only