Disable SSL host name verification with empty host

author: Jose <jose@zeroc.com> 2017-02-22 19:06:16 +0100
committer: Jose <jose@zeroc.com> 2017-02-22 19:06:16 +0100
commit: 88eceb7c051cdb53eb4009774d1fb6bebb95d4d5 (patch)
tree: da7e01e0533558bced252578ee88fb8d259eb1c8
parent: Fix hostname verification to ignore errors when IceSSL.VerifyPeer is 0 (diff)
download: ice-88eceb7c051cdb53eb4009774d1fb6bebb95d4d5.tar.bz2
ice-88eceb7c051cdb53eb4009774d1fb6bebb95d4d5.tar.xz
ice-88eceb7c051cdb53eb4009774d1fb6bebb95d4d5.zip
4 files changed, 28 insertions, 6 deletions
diff --git a/cpp/src/IceSSL/UWPTransceiverI.cpp b/cpp/src/IceSSL/UWPTransceiverI.cpp
index ca4bdc46afc..1f6eb168cd0 100644
--- a/cpp/src/IceSSL/UWPTransceiverI.cpp
+++ b/cpp/src/IceSSL/UWPTransceiverI.cpp
@@ -255,7 +255,10 @@ IceSSL::TransceiverI::startWrite(IceInternal::Buffer& buf)
         //
         stream->Control->IgnorableServerCertificateErrors->Append(ChainValidationResult::Expired);
         stream->Control->IgnorableServerCertificateErrors->Append(ChainValidationResult::IncompleteChain);
-        if(!_engine->getCheckCertName())
+        //
+        // Check if we need to enable host name verification
+        //
+        if(!_engine->getCheckCertName() || _host.empty())
         {
             stream->Control->IgnorableServerCertificateErrors->Append(ChainValidationResult::InvalidName);
         }
@@ -293,7 +296,22 @@ IceSSL::TransceiverI::finishWrite(IceInternal::Buffer& buf)
         {
             if(CERT_E_CN_NO_MATCH == asyncInfo->error)
             {
-                throw SecurityException(__FILE__, __LINE__, "Hostname mismatch");
+                ostringstream ostr;
+                ostr << "IceSSL: certificate validation failure: "
+                     << (IceInternal::isIpAddress(_host) ? "IP address mismatch" : "Hostname mismatch");
+                string msg = ostr.str();
+                if(_engine->securityTraceLevel() >= 1)
+                {
+                    Trace out(_logger, _securityTraceCategory);
+                    out << msg;
+                }
+
+                if(_engine->getVerifyPeer() > 0)
+                {
+                    SecurityException ex(__FILE__, __LINE__);
+                    ex.reason = msg;
+                    throw ex;
+                }
             }
             IceInternal::checkErrorCode(__FILE__, __LINE__, asyncInfo->error);
         }
diff --git a/csharp/src/IceSSL/TransceiverI.cs b/csharp/src/IceSSL/TransceiverI.cs
index f46396bd9a2..ea026ef098a 100644
--- a/csharp/src/IceSSL/TransceiverI.cs
+++ b/csharp/src/IceSSL/TransceiverI.cs
@@ -605,9 +605,13 @@ namespace IceSSL
 
             if((errors & (int)SslPolicyErrors.RemoteCertificateNameMismatch) > 0)
             {
-                if(_instance.engine().getCheckCertName())
+                if(_instance.engine().getCheckCertName() && !string.IsNullOrEmpty(_host))
                 {
-                    message = "SSL certificate validation failed - Hostname mismatch";
+                    if(_instance.securityTraceLevel() >= 1)
+                    {
+                        _instance.logger().trace(_instance.securityTraceCategory(),
+                                      "SSL certificate validation failed - Hostname mismatch");
+                    }
                     return false;
                 }
                 else
diff --git a/java-compat/src/Ice/src/main/java/IceSSL/SSLEngine.java b/java-compat/src/Ice/src/main/java/IceSSL/SSLEngine.java
index b20a7451e00..d2ca48c2fa4 100644
--- a/java-compat/src/Ice/src/main/java/IceSSL/SSLEngine.java
+++ b/java-compat/src/Ice/src/main/java/IceSSL/SSLEngine.java
@@ -858,7 +858,7 @@ class SSLEngine
             //
             // Enable the HTTPS hostname verification algorithm
             //
-            if(_checkCertName && _verifyPeer > 0)
+            if(_checkCertName && _verifyPeer > 0 && host != null)
             {
                 SSLParameters params = new SSLParameters();
                 params.setEndpointIdentificationAlgorithm("HTTPS");
diff --git a/java/src/Ice/src/main/java/com/zeroc/IceSSL/SSLEngine.java b/java/src/Ice/src/main/java/com/zeroc/IceSSL/SSLEngine.java
index 019f7742508..048c63c081e 100644
--- a/java/src/Ice/src/main/java/com/zeroc/IceSSL/SSLEngine.java
+++ b/java/src/Ice/src/main/java/com/zeroc/IceSSL/SSLEngine.java
@@ -864,7 +864,7 @@ class SSLEngine
             //
             // Enable the HTTPS hostname verification algorithm
             //
-            if(_checkCertName && _verifyPeer > 0)
+            if(_checkCertName && _verifyPeer > 0 && host != null)
             {
                 SSLParameters params = new SSLParameters();
                 params.setEndpointIdentificationAlgorithm("HTTPS");
author	Jose <jose@zeroc.com>	2017-02-22 19:06:16 +0100
committer	Jose <jose@zeroc.com>	2017-02-22 19:06:16 +0100
commit	88eceb7c051cdb53eb4009774d1fb6bebb95d4d5 (patch)
tree	da7e01e0533558bced252578ee88fb8d259eb1c8
parent	Fix hostname verification to ignore errors when IceSSL.VerifyPeer is 0 (diff)
download	ice-88eceb7c051cdb53eb4009774d1fb6bebb95d4d5.tar.bz2 ice-88eceb7c051cdb53eb4009774d1fb6bebb95d4d5.tar.xz ice-88eceb7c051cdb53eb4009774d1fb6bebb95d4d5.zip