subversion-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bre...@apache.org
Subject svn commit: r1615214 - in /subversion/branches/1.7.x: ./ STATUS subversion/libsvn_ra_serf/util.c
Date Fri, 01 Aug 2014 20:11:05 GMT
Author: breser
Date: Fri Aug  1 20:11:05 2014
New Revision: 1615214

URL: http://svn.apache.org/r1615214
Log:
Merge the 1.7.x-san-cert branch:

 * r1565531, r1566503, r1568349
   Ignore the CommonName in SSL certs when there are Subject Alt Names.
   Justification:
     Comply with RFC 2818.
   Notes:
     Branch is required due to differences since 1.8.x added the ability
     to check intermediate certs via ssl trust providers to allow the the Windows'
     system trust store to be checked. r1568361 which is nominated for the similar
     1.8.x is not included in this backport since it doesn't make sense with the
     code structure in 1.7.x.
   Branch:
     ^/subversion/branches/1.7.x-san-cert
   Votes:
     +1: breser, stefan2, philipm

Modified:
    subversion/branches/1.7.x/   (props changed)
    subversion/branches/1.7.x/STATUS
    subversion/branches/1.7.x/subversion/libsvn_ra_serf/util.c

Propchange: subversion/branches/1.7.x/
------------------------------------------------------------------------------
  Merged /subversion/trunk:r1565531,1566503,1568349
  Merged /subversion/branches/1.7.x-san-cert:r1614969-1615212

Modified: subversion/branches/1.7.x/STATUS
URL: http://svn.apache.org/viewvc/subversion/branches/1.7.x/STATUS?rev=1615214&r1=1615213&r2=1615214&view=diff
==============================================================================
--- subversion/branches/1.7.x/STATUS (original)
+++ subversion/branches/1.7.x/STATUS Fri Aug  1 20:11:05 2014
@@ -137,21 +137,6 @@ Candidate changes:
    Votes:
      +1: rhuijben
 
- * r1565531, r1566503, r1568349
-   Ignore the CommonName in SSL certs when there are Subject Alt Names.
-   Justification:
-     Comply with RFC 2818.
-   Notes:
-     Branch is required due to differences since 1.8.x added the ability
-     to check intermediate certs via ssl trust providers to allow the the Windows'
-     system trust store to be checked. r1568361 which is nominated for the similar
-     1.8.x is not included in this backport since it doesn't make sense with the
-     code structure in 1.7.x.
-   Branch:
-     ^/subversion/branches/1.7.x-san-cert
-   Votes:
-     +1: breser, stefan2
-
 Veto-blocked changes:
 =====================
 

Modified: subversion/branches/1.7.x/subversion/libsvn_ra_serf/util.c
URL: http://svn.apache.org/viewvc/subversion/branches/1.7.x/subversion/libsvn_ra_serf/util.c?rev=1615214&r1=1615213&r2=1615214&view=diff
==============================================================================
--- subversion/branches/1.7.x/subversion/libsvn_ra_serf/util.c (original)
+++ subversion/branches/1.7.x/subversion/libsvn_ra_serf/util.c Fri Aug  1 20:11:05 2014
@@ -202,7 +202,8 @@ ssl_server_cert(void *baton, int failure
   apr_hash_t *issuer, *subject, *serf_cert;
   apr_array_header_t *san;
   void *creds;
-  int found_matching_hostname = 0;
+  svn_boolean_t found_matching_hostname = FALSE;
+  svn_boolean_t found_san_entry = FALSE;
 
   /* Implicitly approve any non-server certs. */
   if (serf_ssl_cert_depth(cert) > 0)
@@ -237,30 +238,39 @@ ssl_server_cert(void *baton, int failure
                   | conn->server_cert_failures);
 
   /* Try to find matching server name via subjectAltName first... */
-  if (san) {
+  if (san)
+    {
       int i;
-      for (i = 0; i < san->nelts; i++) {
+      found_san_entry = san->nelts > 0;
+      for (i = 0; i < san->nelts; i++)
+        {
           char *s = APR_ARRAY_IDX(san, i, char*);
-          if (apr_fnmatch(s, conn->hostname,
-                          APR_FNM_PERIOD | APR_FNM_CASE_BLIND) == APR_SUCCESS)
+          if (APR_SUCCESS == apr_fnmatch(s, conn->hostname,
+                          APR_FNM_PERIOD | APR_FNM_CASE_BLIND))
             {
-              found_matching_hostname = 1;
+              found_matching_hostname = TRUE;
               cert_info.hostname = s;
               break;
             }
-      }
-  }
+        }
+    }
 
-  /* Match server certificate CN with the hostname of the server */
-  if (!found_matching_hostname && cert_info.hostname)
+  /* Match server certificate CN with the hostname of the server iff
+   * we didn't find any subjectAltName fields and try to match them.
+   * Per RFC 2818 they are authoritative if present and CommonName
+   * should be ignored. */
+  if (!found_matching_hostname && !found_san_entry && cert_info.hostname)
     {
       if (apr_fnmatch(cert_info.hostname, conn->hostname,
-                      APR_FNM_PERIOD | APR_FNM_CASE_BLIND) == APR_FNM_NOMATCH)
+                      APR_FNM_PERIOD | APR_FNM_CASE_BLIND) == APR_SUCCESS)
         {
-          svn_failures |= SVN_AUTH_SSL_CNMISMATCH;
+          found_matching_hostname = TRUE;
         }
     }
 
+  if (!found_matching_hostname)
+    svn_failures |= SVN_AUTH_SSL_CNMISMATCH;
+
   svn_auth_set_parameter(conn->session->wc_callbacks->auth_baton,
                          SVN_AUTH_PARAM_SSL_SERVER_FAILURES,
                          &svn_failures);



Mime
View raw message