From: Joe Orton <jorton@apache.org>
Date: Fri, 17 Feb 2006 11:43:37 +0000 (+0000)
Subject: * modules/ssl/ssl_engine_init.c (ssl_check_public_cert): Fix spurious
X-Git-Tag: 2.3.0~2535
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=20cf15d539a5f5244b6225aae3ec59fb99cfa59b;p=apache

* modules/ssl/ssl_engine_init.c (ssl_check_public_cert): Fix spurious
hostname-mismatch warning for valid wildcard certs.

PR: 37911
Submitted by: Nick Burch <nick torchbox.com>


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@378487 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index 419fe2fa92..3b3a73aaf5 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,9 @@
 Changes with Apache 2.3.0
   [Remove entries to the current 2.0 and 2.2 section below, when backported]
 
+  *) mod_ssl: Fix spurious hostname mismatch warning for valid
+     wildcard certificates.  PR 37911.  [Nick Burch <nick torchbox.com>]
+
   *) mod_proxy: Fix KeepAlives not being allowed and set to
      backend servers. PR 38602. [Ruediger Pluem, Jim Jagielski]
 
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index 54c85fd741..da33ef9a15 100644
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -856,14 +856,14 @@ static void ssl_check_public_cert(server_rec *s,
     if (SSL_X509_getCN(ptemp, cert, &cn)) {
         int fnm_flags = APR_FNM_PERIOD|APR_FNM_CASE_BLIND;
 
-        if (apr_fnmatch_test(cn) &&
-            (apr_fnmatch(cn, s->server_hostname,
-                         fnm_flags) == APR_FNM_NOMATCH))
-        {
-            ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
-                         "%s server certificate wildcard CommonName (CN) `%s' "
-                         "does NOT match server name!?",
-                         ssl_asn1_keystr(type), cn);
+        if (apr_fnmatch_test(cn)) {
+            if (apr_fnmatch(cn, s->server_hostname,
+                            fnm_flags) == APR_FNM_NOMATCH) {
+                ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
+                             "%s server certificate wildcard CommonName "
+                             "(CN) `%s' does NOT match server name!?",
+                             ssl_asn1_keystr(type), cn);
+            }
         }
         else if (strNE(s->server_hostname, cn)) {
             ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,