]> git.ipfire.org Git - thirdparty/openssl.git/commitdiff
projects / thirdparty / openssl.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: f45c7fe)
tls_process_server_hello(): With retry config validate the outer hostname
authorsftcd <stephen.farrell@cs.tcd.ie>
Thu, 18 Dec 2025 14:16:10 +0000 (14:16 +0000)
committerMatt Caswell <matt@openssl.org>
Fri, 20 Feb 2026 16:40:25 +0000 (16:40 +0000)
Call SSL_set1_host() to apply the outer hostname to the certificate
validation.

Fixes DEF-02-009

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
MergeDate: Wed Feb 11 17:19:14 2026
(Merged from https://github.com/openssl/openssl/pull/29593)

ssl/statem/statem_clnt.c patch | blob | blame | history

diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index e4d77a09800fb61c41a9f2e199d0c82b4f775a7c..81bf5d91bdeed83310d2245daa988e7169f5a8e6 100644 (file)
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -1899,6 +1899,10 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL_CONNECTION *s, PACKET *pkt)
                     SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
                     goto err;
                 }
+                if (SSL_set1_host(ssl, s->ext.ech.outer_hostname) != 1) {
+                    SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
+                    goto err;
+                }
             }
         }
     }
Mirror of https://github.com/openssl/openssl.git