]> granicus.if.org Git - icinga2/commitdiff
projects / icinga2 / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: b1aa6cc)
Check the certificate name when reconnecting to an instance
authorGunnar Beutner <gunnar@beutner.name>
Tue, 19 Jan 2016 15:24:12 +0000 (16:24 +0100)
committerGunnar Beutner <gunnar@beutner.name>
Tue, 19 Jan 2016 15:24:12 +0000 (16:24 +0100)
refs #10963

lib/base/tlsstream.cpp patch | blob | history
lib/base/tlsstream.hpp patch | blob | history
lib/remote/apilistener.cpp patch | blob | history

diff --git a/lib/base/tlsstream.cpp b/lib/base/tlsstream.cpp
index 55d97eb1e9a4c6a4e788fd06a280c754025cae98..f9b63864a6e1906867cd31fbf6d88f0e25518fc8 100644 (file)
--- a/lib/base/tlsstream.cpp
+++ b/lib/base/tlsstream.cpp
@@ -85,7 +85,7 @@ TlsStream::TlsStream(const Socket::Ptr& socket, const String& hostname, Connecti
 
 TlsStream::~TlsStream(void)
 {
-       Close();
+       CloseInternal(true);
 }
 
 int TlsStream::ValidateCertificate(int preverify_ok, X509_STORE_CTX *ctx)
@@ -310,17 +310,21 @@ void TlsStream::Shutdown(void)
  */
 void TlsStream::Close(void)
 {
-       if (!m_Eof) {
+       CloseInternal(false);
+}
+
+void TlsStream::CloseInternal(bool inDestructor)
+{
+       if (!m_Eof && !inDestructor) {
                m_Eof = true;
                SignalDataAvailable();
        }
 
-       Stream::Close();
-
        SocketEvents::Unregister();
 
-       boost::mutex::scoped_lock lock(m_Mutex);
+       Stream::Close();
 
+       boost::mutex::scoped_lock lock(m_Mutex);
 
        if (!m_SSL)
                return;
diff --git a/lib/base/tlsstream.hpp b/lib/base/tlsstream.hpp
index ff482fa1f9ebf35819bb981f82bee6c225b7d147..132f667840e3d5395729268c8bcc353ff2d943bc 100644 (file)
--- a/lib/base/tlsstream.hpp
+++ b/lib/base/tlsstream.hpp
@@ -99,6 +99,8 @@ private:
 
        static int ValidateCertificate(int preverify_ok, X509_STORE_CTX *ctx);
        static void NullCertificateDeleter(X509 *certificate);
+
+       void CloseInternal(bool inDestructor);
 };
 
 }
diff --git a/lib/remote/apilistener.cpp b/lib/remote/apilistener.cpp
index bc49a2f3049bc570e44ff3f956e1e9456771ffc3..b207587a3e3f545eab865222fae817e15d66022d 100644 (file)
--- a/lib/remote/apilistener.cpp
+++ b/lib/remote/apilistener.cpp
@@ -321,6 +321,12 @@ void ApiListener::NewClientHandlerInternal(const Socket::Ptr& client, const Stri
                        return;
                }
 
+               if (!hostname.IsEmpty() && identity != hostname) {
+                       Log(LogInformation, "ApiListener")
+                           << "Unexpected certificate common name while connecting to endpoint '" << hostname << "': got '" << identity << "'";
+                       return;
+               }
+
                verify_ok = tlsStream->IsVerifyOK();
 
                Log(LogInformation, "ApiListener")
Unnamed repository; edit this file 'description' to name the repository.