diff options
| author | Jose <jose@zeroc.com> | 2017-02-22 17:40:08 +0100 |
|---|---|---|
| committer | Jose <jose@zeroc.com> | 2017-02-22 17:40:08 +0100 |
| commit | aa3e8bd6874a69aa25ea19625c6493de2b9cb7e0 (patch) | |
| tree | 8d42b267f1ddb06123b09b1c89b1a300a21a530a | |
| parent | Linux build failure (diff) | |
| download | ice-aa3e8bd6874a69aa25ea19625c6493de2b9cb7e0.tar.bz2 ice-aa3e8bd6874a69aa25ea19625c6493de2b9cb7e0.tar.xz ice-aa3e8bd6874a69aa25ea19625c6493de2b9cb7e0.zip | |
Fix hostname verification to ignore errors when IceSSL.VerifyPeer is 0
| -rw-r--r-- | cpp/src/IceSSL/SSLEngine.cpp | 10 | ||||
| -rw-r--r-- | cpp/test/IceSSL/configuration/AllTests.cpp | 49 | ||||
| -rw-r--r-- | csharp/src/IceSSL/TransceiverI.cs | 5 | ||||
| -rw-r--r-- | csharp/test/IceSSL/configuration/AllTests.cs | 26 | ||||
| -rw-r--r-- | java-compat/src/Ice/src/main/java/IceSSL/SSLEngine.java | 22 | ||||
| -rw-r--r-- | java-compat/test/src/main/java/test/IceSSL/configuration/AllTests.java | 51 | ||||
| -rw-r--r-- | java/src/Ice/src/main/java/com/zeroc/IceSSL/SSLEngine.java | 22 | ||||
| -rw-r--r-- | java/test/src/main/java/test/IceSSL/configuration/AllTests.java | 51 |
8 files changed, 212 insertions, 24 deletions
diff --git a/cpp/src/IceSSL/SSLEngine.cpp b/cpp/src/IceSSL/SSLEngine.cpp index 3ee453925e9..355b8fad16f 100644 --- a/cpp/src/IceSSL/SSLEngine.cpp +++ b/cpp/src/IceSSL/SSLEngine.cpp @@ -210,9 +210,13 @@ IceSSL::SSLEngine::verifyPeer(const string& address, const NativeConnectionInfoP Trace out(_logger, _securityTraceCategory); out << msg; } - SecurityException ex(__FILE__, __LINE__); - ex.reason = msg; - throw ex; + + if(_verifyPeer > 0) + { + SecurityException ex(__FILE__, __LINE__); + ex.reason = msg; + throw ex; + } } } #endif diff --git a/cpp/test/IceSSL/configuration/AllTests.cpp b/cpp/test/IceSSL/configuration/AllTests.cpp index 95214c79a20..5a52b3f682e 100644 --- a/cpp/test/IceSSL/configuration/AllTests.cpp +++ b/cpp/test/IceSSL/configuration/AllTests.cpp @@ -1386,6 +1386,55 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool p12) #endif fact->destroyServer(server); comm->destroy(); + + // + // Target host does not match the certificate DNS altName, connection should succeed + // because IceSSL.VerifyPeer is set to 0. + // + initData.properties = createClientProps(defaultProps, p12, "c_rsa_ca1", "cacert1"); + initData.properties->setProperty("IceSSL.CheckCertName", "1"); + initData.properties->setProperty("IceSSL.VerifyPeer", "0"); + comm = initialize(initData); + + fact = ICE_CHECKED_CAST(Test::ServerFactoryPrx, comm->stringToProxy(factoryRef)); + test(fact); + d = createServerProps(props, p12, "s_rsa_ca1_cn2", "cacert1"); + server = fact->createServer(d); + try + { + server->ice_ping(); + } + catch(const Ice::LocalException&) + { + test(false); + } + + fact->destroyServer(server); + comm->destroy(); + + // + // Target host does not match the certificate DNS altName, connection should succeed + // because IceSSL.CheckCertName is set to 0. + // + initData.properties = createClientProps(defaultProps, p12, "c_rsa_ca1", "cacert1"); + initData.properties->setProperty("IceSSL.CheckCertName", "0"); + comm = initialize(initData); + + fact = ICE_CHECKED_CAST(Test::ServerFactoryPrx, comm->stringToProxy(factoryRef)); + test(fact); + d = createServerProps(props, p12, "s_rsa_ca1_cn2", "cacert1"); + server = fact->createServer(d); + try + { + server->ice_ping(); + } + catch(const Ice::LocalException&) + { + test(false); + } + + fact->destroyServer(server); + comm->destroy(); } } cout << "ok" << endl; diff --git a/csharp/src/IceSSL/TransceiverI.cs b/csharp/src/IceSSL/TransceiverI.cs index 0dbf195c515..f46396bd9a2 100644 --- a/csharp/src/IceSSL/TransceiverI.cs +++ b/csharp/src/IceSSL/TransceiverI.cs @@ -610,9 +610,12 @@ namespace IceSSL message = "SSL certificate validation failed - Hostname mismatch"; return false; } + else + { + errors ^= (int)SslPolicyErrors.RemoteCertificateNameMismatch; + } } - if((errors & (int)SslPolicyErrors.RemoteCertificateChainErrors) > 0 && _chain.ChainStatus != null && _chain.ChainStatus.Length > 0) { diff --git a/csharp/test/IceSSL/configuration/AllTests.cs b/csharp/test/IceSSL/configuration/AllTests.cs index b02a6cec16c..f275492b0ad 100644 --- a/csharp/test/IceSSL/configuration/AllTests.cs +++ b/csharp/test/IceSSL/configuration/AllTests.cs @@ -759,6 +759,32 @@ public class AllTests fact.destroyServer(server); comm.destroy(); } + + // + // Target host does not match the certificate DNS altName, connection should succeed + // because IceSSL.CheckCertName is set to 0. + // + { + initData = createClientProps(defaultProperties, "c_rsa_ca1", "cacert1"); + initData.properties.setProperty("IceSSL.CheckCertName", "0"); + comm = Ice.Util.initialize(ref args, initData); + + fact = Test.ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); + test(fact != null); + d = createServerProps(props, "s_rsa_ca1_cn2", "cacert1"); + d["IceSSL.CheckCertName"] = "1"; + server = fact.createServer(d); + try + { + server.ice_ping(); + } + catch(Ice.LocalException) + { + test(false); + } + fact.destroyServer(server); + comm.destroy(); + } } } Console.Out.WriteLine("ok"); diff --git a/java-compat/src/Ice/src/main/java/IceSSL/SSLEngine.java b/java-compat/src/Ice/src/main/java/IceSSL/SSLEngine.java index 6cc00355c3d..b20a7451e00 100644 --- a/java-compat/src/Ice/src/main/java/IceSSL/SSLEngine.java +++ b/java-compat/src/Ice/src/main/java/IceSSL/SSLEngine.java @@ -791,16 +791,6 @@ class SSLEngine } engine.setUseClientMode(!incoming); - // - // Enable the HTTPS hostname verification algorithm - // - if(_checkCertName) - { - SSLParameters params = new SSLParameters(); - params.setEndpointIdentificationAlgorithm("HTTPS"); - engine.setSSLParameters(params); - } - String[] cipherSuites = filterCiphers(engine.getSupportedCipherSuites(), engine.getEnabledCipherSuites()); try { @@ -863,6 +853,18 @@ class SSLEngine engine.setNeedClientAuth(true); } } + else + { + // + // Enable the HTTPS hostname verification algorithm + // + if(_checkCertName && _verifyPeer > 0) + { + SSLParameters params = new SSLParameters(); + params.setEndpointIdentificationAlgorithm("HTTPS"); + engine.setSSLParameters(params); + } + } try { diff --git a/java-compat/test/src/main/java/test/IceSSL/configuration/AllTests.java b/java-compat/test/src/main/java/test/IceSSL/configuration/AllTests.java index 1ce41753de6..e814b868807 100644 --- a/java-compat/test/src/main/java/test/IceSSL/configuration/AllTests.java +++ b/java-compat/test/src/main/java/test/IceSSL/configuration/AllTests.java @@ -717,6 +717,57 @@ public class AllTests fact.destroyServer(server); comm.destroy(); } + + // + // Target host does not match the certificate DNS altName, connection should succeed + // because IceSSL.VerifyPeer is set to 0. + // + { + initData = createClientProps(defaultProperties, defaultDir, "localhost", "c_rsa_ca1", "cacert1"); + initData.properties.setProperty("IceSSL.CheckCertName", "1"); + initData.properties.setProperty("IceSSL.VerifyPeer", "0"); + comm = Ice.Util.initialize(args, initData); + + fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); + test(fact != null); + d = createServerProps(defaultProperties, defaultDir, "localhost", "s_rsa_ca1_cn2", "cacert1"); + server = fact.createServer(d); + try + { + server.ice_ping(); + } + catch(Ice.LocalException ex) + { + test(false); + } + fact.destroyServer(server); + comm.destroy(); + } + + // + // Target host does not match the certificate DNS altName, connection should succeed + // because IceSSL.CheckCertName is set to 0. + // + { + initData = createClientProps(defaultProperties, defaultDir, "localhost", "c_rsa_ca1", "cacert1"); + initData.properties.setProperty("IceSSL.CheckCertName", "0"); + comm = Ice.Util.initialize(args, initData); + + fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); + test(fact != null); + d = createServerProps(defaultProperties, defaultDir, "localhost", "s_rsa_ca1_cn2", "cacert1"); + server = fact.createServer(d); + try + { + server.ice_ping(); + } + catch(Ice.LocalException ex) + { + test(false); + } + fact.destroyServer(server); + comm.destroy(); + } } } out.println("ok"); diff --git a/java/src/Ice/src/main/java/com/zeroc/IceSSL/SSLEngine.java b/java/src/Ice/src/main/java/com/zeroc/IceSSL/SSLEngine.java index 001d3a24f76..019f7742508 100644 --- a/java/src/Ice/src/main/java/com/zeroc/IceSSL/SSLEngine.java +++ b/java/src/Ice/src/main/java/com/zeroc/IceSSL/SSLEngine.java @@ -797,16 +797,6 @@ class SSLEngine } engine.setUseClientMode(!incoming); - // - // Enable the HTTPS hostname verification algorithm - // - if(_checkCertName) - { - SSLParameters params = new SSLParameters(); - params.setEndpointIdentificationAlgorithm("HTTPS"); - engine.setSSLParameters(params); - } - String[] cipherSuites = filterCiphers(engine.getSupportedCipherSuites(), engine.getEnabledCipherSuites()); try { @@ -869,6 +859,18 @@ class SSLEngine engine.setNeedClientAuth(true); } } + else + { + // + // Enable the HTTPS hostname verification algorithm + // + if(_checkCertName && _verifyPeer > 0) + { + SSLParameters params = new SSLParameters(); + params.setEndpointIdentificationAlgorithm("HTTPS"); + engine.setSSLParameters(params); + } + } try { diff --git a/java/test/src/main/java/test/IceSSL/configuration/AllTests.java b/java/test/src/main/java/test/IceSSL/configuration/AllTests.java index 4279307e2de..6fe3db303fa 100644 --- a/java/test/src/main/java/test/IceSSL/configuration/AllTests.java +++ b/java/test/src/main/java/test/IceSSL/configuration/AllTests.java @@ -715,6 +715,57 @@ public class AllTests fact.destroyServer(server); comm.destroy(); } + + // + // Target host does not match the certificate DNS altName, connection should succeed + // because IceSSL.VerifyPeer is set to 0. + // + { + initData = createClientProps(defaultProperties, "c_rsa_ca1", "cacert1"); + initData.properties.setProperty("IceSSL.CheckCertName", "1"); + initData.properties.setProperty("IceSSL.VerifyPeer", "0"); + comm = Util.initialize(args, initData); + + fact = ServerFactoryPrx.checkedCast(comm.stringToProxy(factoryRef)); + test(fact != null); + d = createServerProps(props, "s_rsa_ca1_cn2", "cacert1"); + server = fact.createServer(d); + try + { + server.ice_ping(); + } + catch(com.zeroc.Ice.LocalException ex) + { + test(false); + } + fact.destroyServer(server); + comm.destroy(); + } + + // + // Target host does not match the certificate DNS altName, connection should succeed + // because IceSSL.CheckCertName is set to 0. + // + { + initData = createClientProps(defaultProperties, "c_rsa_ca1", "cacert1"); + initData.properties.setProperty("IceSSL.CheckCertName", "0"); + comm = Util.initialize(args, initData); + + fact = ServerFactoryPrx.checkedCast(comm.stringToProxy(factoryRef)); + test(fact != null); + d = createServerProps(props, "s_rsa_ca1_cn2", "cacert1"); + server = fact.createServer(d); + try + { + server.ice_ping(); + } + catch(com.zeroc.Ice.LocalException ex) + { + test(false); + } + fact.destroyServer(server); + comm.destroy(); + } } } out.println("ok"); |