Fix (6462) - Consider changing some IceSSL checks to use native APIs

author: Jose <jose@zeroc.com> 2017-02-22 10:49:10 +0100
committer: Jose <jose@zeroc.com> 2017-02-22 10:49:10 +0100
commit: c5b5faca606e38ecaa7049f54641f1587c1517c8 (patch)
tree: cf5b56fdf1cd547d8acefbe9bd61ae5393d27410 /cpp/src/IceSSL/UWPTransceiverI.cpp
parent: Another fix for compiler flag ordering (diff)
download: ice-c5b5faca606e38ecaa7049f54641f1587c1517c8.tar.bz2
ice-c5b5faca606e38ecaa7049f54641f1587c1517c8.tar.xz
ice-c5b5faca606e38ecaa7049f54641f1587c1517c8.zip
1 files changed, 9 insertions, 2 deletions
diff --git a/cpp/src/IceSSL/UWPTransceiverI.cpp b/cpp/src/IceSSL/UWPTransceiverI.cpp
index b58a688733f..91945bd7fce 100644
--- a/cpp/src/IceSSL/UWPTransceiverI.cpp
+++ b/cpp/src/IceSSL/UWPTransceiverI.cpp
@@ -167,7 +167,7 @@ IceSSL::TransceiverI::initialize(IceInternal::Buffer& readBuffer, IceInternal::B
                 // Ignore InvalidName errors here SSLEngine::verifyPeer already checks that
                 // using IceSSL.CheckCertName settings.
                 //
-                if(result != ChainValidationResult::InvalidName && result != ChainValidationResult::Success)
+                if(result != ChainValidationResult::Success)
                 {
                     if(_engine->getVerifyPeer() == 0)
                     {
@@ -259,7 +259,10 @@ IceSSL::TransceiverI::startWrite(IceInternal::Buffer& buf)
         //
         stream->Control->IgnorableServerCertificateErrors->Append(ChainValidationResult::Expired);
         stream->Control->IgnorableServerCertificateErrors->Append(ChainValidationResult::IncompleteChain);
-        stream->Control->IgnorableServerCertificateErrors->Append(ChainValidationResult::InvalidName);
+        if(!_engine->getCheckCertName())
+        {
+            stream->Control->IgnorableServerCertificateErrors->Append(ChainValidationResult::InvalidName);
+        }
         stream->Control->IgnorableServerCertificateErrors->Append(ChainValidationResult::RevocationFailure);
         stream->Control->IgnorableServerCertificateErrors->Append(ChainValidationResult::RevocationInformationMissing);
         stream->Control->IgnorableServerCertificateErrors->Append(ChainValidationResult::Untrusted);
@@ -292,6 +295,10 @@ IceSSL::TransceiverI::finishWrite(IceInternal::Buffer& buf)
         IceInternal::AsyncInfo* asyncInfo = getNativeInfo()->getAsyncInfo(IceInternal::SocketOperationWrite);
         if(asyncInfo->count == SOCKET_ERROR)
         {
+            if(CERT_E_CN_NO_MATCH == asyncInfo->error)
+            {
+                throw SecurityException(__FILE__, __LINE__, "Hostname mismatch");
+            }
             IceInternal::checkErrorCode(__FILE__, __LINE__, asyncInfo->error);
         }
         return;
author	Jose <jose@zeroc.com>	2017-02-22 10:49:10 +0100
committer	Jose <jose@zeroc.com>	2017-02-22 10:49:10 +0100
commit	c5b5faca606e38ecaa7049f54641f1587c1517c8 (patch)
tree	cf5b56fdf1cd547d8acefbe9bd61ae5393d27410 /cpp/src/IceSSL/UWPTransceiverI.cpp
parent	Another fix for compiler flag ordering (diff)
download	ice-c5b5faca606e38ecaa7049f54641f1587c1517c8.tar.bz2 ice-c5b5faca606e38ecaa7049f54641f1587c1517c8.tar.xz ice-c5b5faca606e38ecaa7049f54641f1587c1517c8.zip