]> granicus.if.org Git - icinga2/commitdiff
Check the certificate name when reconnecting to an instance
authorGunnar Beutner <gunnar@beutner.name>
Tue, 19 Jan 2016 15:24:12 +0000 (16:24 +0100)
committerGunnar Beutner <gunnar@beutner.name>
Tue, 23 Feb 2016 09:46:17 +0000 (10:46 +0100)
refs #10963

lib/base/tlsstream.cpp
lib/base/tlsstream.hpp
lib/remote/apilistener.cpp

index a431199f83b33738603aef27be0bd74556f3b163..f1248eee7d069263636d3c4893c74969efc59cb4 100644 (file)
@@ -85,7 +85,7 @@ TlsStream::TlsStream(const Socket::Ptr& socket, const String& hostname, Connecti
 
 TlsStream::~TlsStream(void)
 {
-       Close();
+       CloseInternal(true);
 }
 
 int TlsStream::ValidateCertificate(int preverify_ok, X509_STORE_CTX *ctx)
@@ -321,10 +321,6 @@ void TlsStream::Shutdown(void)
  */
 void TlsStream::Close(void)
 {
-<<<<<<< HEAD
-       if (!m_Eof) {
-               m_Eof = true;
-=======
        CloseInternal(false);
 }
 
@@ -336,15 +332,13 @@ void TlsStream::CloseInternal(bool inDestructor)
        m_Eof = true;
 
        if (!inDestructor)
->>>>>>> 2dc385e... Fix memory/thread leak in the HttpServerConnection class
                SignalDataAvailable();
 
-       Stream::Close();
-
        SocketEvents::Unregister();
 
-       boost::mutex::scoped_lock lock(m_Mutex);
+       Stream::Close();
 
+       boost::mutex::scoped_lock lock(m_Mutex);
 
        if (!m_SSL)
                return;
index ff482fa1f9ebf35819bb981f82bee6c225b7d147..132f667840e3d5395729268c8bcc353ff2d943bc 100644 (file)
@@ -99,6 +99,8 @@ private:
 
        static int ValidateCertificate(int preverify_ok, X509_STORE_CTX *ctx);
        static void NullCertificateDeleter(X509 *certificate);
+
+       void CloseInternal(bool inDestructor);
 };
 
 }
index 77049f71d04011adecde15f008722eb90dc49add..08c9fa8ee115c4e04a202b8c718dcf9a8229b1d6 100644 (file)
@@ -321,6 +321,12 @@ void ApiListener::NewClientHandlerInternal(const Socket::Ptr& client, const Stri
                        return;
                }
 
+               if (!hostname.IsEmpty() && identity != hostname) {
+                       Log(LogInformation, "ApiListener")
+                           << "Unexpected certificate common name while connecting to endpoint '" << hostname << "': got '" << identity << "'";
+                       return;
+               }
+
                verify_ok = tlsStream->IsVerifyOK();
 
                Log(LogInformation, "ApiListener")