Check the certificate name when reconnecting to an instance

author Gunnar Beutner <gunnar@beutner.name>

Tue, 19 Jan 2016 15:24:12 +0000 (16:24 +0100)

committer Gunnar Beutner <gunnar@beutner.name>

Tue, 23 Feb 2016 09:46:17 +0000 (10:46 +0100)
author Gunnar Beutner <gunnar@beutner.name>
Tue, 19 Jan 2016 15:24:12 +0000 (16:24 +0100)
committer Gunnar Beutner <gunnar@beutner.name>
Tue, 23 Feb 2016 09:46:17 +0000 (10:46 +0100)
diff --git a/lib/base/tlsstream.cpp b/lib/base/tlsstream.cpp

index a431199f83b33738603aef27be0bd74556f3b163..f1248eee7d069263636d3c4893c74969efc59cb4 100644 (file)
--- a/lib/base/tlsstream.cpp
+++ b/lib/base/tlsstream.cpp
@@ -85,7 +85,7 @@ TlsStream::TlsStream(const Socket::Ptr& socket, const String& hostname, Connecti
  
  TlsStream::~TlsStream(void)
  {
-       Close();
+       CloseInternal(true);
  }
  
  int TlsStream::ValidateCertificate(int preverify_ok, X509_STORE_CTX *ctx)
@@ -321,10 +321,6 @@ void TlsStream::Shutdown(void)
   */
  void TlsStream::Close(void)
  {
-<<<<<<< HEAD
-       if (!m_Eof) {
-               m_Eof = true;
-=======
         CloseInternal(false);
  }
  
@@ -336,15 +332,13 @@ void TlsStream::CloseInternal(bool inDestructor)
         m_Eof = true;
  
         if (!inDestructor)
->>>>>>> 2dc385e... Fix memory/thread leak in the HttpServerConnection class
                 SignalDataAvailable();
  
-       Stream::Close();
-
         SocketEvents::Unregister();
  
-       boost::mutex::scoped_lock lock(m_Mutex);
+       Stream::Close();
  
+       boost::mutex::scoped_lock lock(m_Mutex);
  
         if (!m_SSL)
                 return;
diff --git a/lib/base/tlsstream.hpp b/lib/base/tlsstream.hpp

index ff482fa1f9ebf35819bb981f82bee6c225b7d147..132f667840e3d5395729268c8bcc353ff2d943bc 100644 (file)
--- a/lib/base/tlsstream.hpp
+++ b/lib/base/tlsstream.hpp
@@ -99,6 +99,8 @@ private:
  
         static int ValidateCertificate(int preverify_ok, X509_STORE_CTX *ctx);
         static void NullCertificateDeleter(X509 *certificate);
+
+       void CloseInternal(bool inDestructor);
  };
  
  }
diff --git a/lib/remote/apilistener.cpp b/lib/remote/apilistener.cpp

index 77049f71d04011adecde15f008722eb90dc49add..08c9fa8ee115c4e04a202b8c718dcf9a8229b1d6 100644 (file)
--- a/lib/remote/apilistener.cpp
+++ b/lib/remote/apilistener.cpp
@@ -321,6 +321,12 @@ void ApiListener::NewClientHandlerInternal(const Socket::Ptr& client, const Stri
                         return;
                 }
  
+               if (!hostname.IsEmpty() && identity != hostname) {
+                       Log(LogInformation, "ApiListener")
+                           << "Unexpected certificate common name while connecting to endpoint '" << hostname << "': got '" << identity << "'";
+                       return;
+               }
+
                 verify_ok = tlsStream->IsVerifyOK();
  
                 Log(LogInformation, "ApiListener")
author	Gunnar Beutner <gunnar@beutner.name>
	Tue, 19 Jan 2016 15:24:12 +0000 (16:24 +0100)
committer	Gunnar Beutner <gunnar@beutner.name>
	Tue, 23 Feb 2016 09:46:17 +0000 (10:46 +0100)
lib/base/tlsstream.cpp		patch \| blob \| history
lib/base/tlsstream.hpp		patch \| blob \| history
lib/remote/apilistener.cpp		patch \| blob \| history