From: Nikos Mavrogiannopoulos Date: Fri, 27 Jun 2014 15:34:49 +0000 (+0200) Subject: when verifying an IP, also verify it as a hostname X-Git-Tag: gnutls_3_3_6~94 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3cf3bdfd0936b85866db680a4950588cb90235eb;p=thirdparty%2Fgnutls.git when verifying an IP, also verify it as a hostname There are several misconfigured servers that placed their IP as a DNS name. Pointed out by David Woodhouse. --- diff --git a/lib/x509/rfc2818_hostname.c b/lib/x509/rfc2818_hostname.c index ee21458c08..f4e1d04c22 100644 --- a/lib/x509/rfc2818_hostname.c +++ b/lib/x509/rfc2818_hostname.c @@ -131,11 +131,20 @@ gnutls_x509_crt_check_hostname2(gnutls_x509_crt_t cert, gnutls_assert(); goto hostname_fallback; } - return check_ip(cert, &ipv6, 16, flags); + ret = check_ip(cert, &ipv6, 16, flags); +#else + ret = 0; #endif } else { - return check_ip(cert, &ipv4, 4, flags); + ret = check_ip(cert, &ipv4, 4, flags); } + + if (ret != 0) + return ret; + + /* There are several misconfigured servers, that place their IP + * in the DNS field of subjectAlternativeName. Don't break these + * configurations and verify the IP as it would have been a DNS name. */ } hostname_fallback: