IceSSL cert name verification fixes - Close #512 (#515)

author: Jose <pepone@users.noreply.github.com> 2019-09-10 10:29:11 +0200
committer: GitHub <noreply@github.com> 2019-09-10 10:29:11 +0200
commit: bad1d435dfba9b103bfe76555506757beda5c4df (patch)
tree: f4a8dd87308ee80781f9b39ffabd95cee9e1ef69 /csharp/src
parent: Whitespace fixes (diff)
download: ice-bad1d435dfba9b103bfe76555506757beda5c4df.tar.bz2
ice-bad1d435dfba9b103bfe76555506757beda5c4df.tar.xz
ice-bad1d435dfba9b103bfe76555506757beda5c4df.zip
2 files changed, 19 insertions, 6 deletions
diff --git a/csharp/src/IceSSL/SSLEngine.cs b/csharp/src/IceSSL/SSLEngine.cs
index e008da6a245..d97addc0603 100644
--- a/csharp/src/IceSSL/SSLEngine.cs
+++ b/csharp/src/IceSSL/SSLEngine.cs
@@ -488,7 +488,6 @@ namespace IceSSL
 
         internal void verifyPeer(string address, IceSSL.ConnectionInfo info, string desc)
         {
-
             if(_verifyDepthMax > 0 && info.certs != null && info.certs.Length > _verifyDepthMax)
             {
                 string msg = (info.incoming ? "incoming" : "outgoing") + " connection rejected:\n" +
diff --git a/csharp/src/IceSSL/TransceiverI.cs b/csharp/src/IceSSL/TransceiverI.cs
index 90698ee5a6f..daa2bb201a2 100644
--- a/csharp/src/IceSSL/TransceiverI.cs
+++ b/csharp/src/IceSSL/TransceiverI.cs
@@ -589,20 +589,34 @@ namespace IceSSL
                 }
             }
 
-            if((errors & (int)SslPolicyErrors.RemoteCertificateNameMismatch) > 0)
+            bool certificateNameMismatch = (errors & (int)SslPolicyErrors.RemoteCertificateNameMismatch) > 0;
+            if(certificateNameMismatch)
             {
                 if(_instance.engine().getCheckCertName() && !string.IsNullOrEmpty(_host))
                 {
                     if(_instance.securityTraceLevel() >= 1)
                     {
-                        _instance.logger().trace(_instance.securityTraceCategory(),
-                                      "SSL certificate validation failed - Hostname mismatch");
+                        string msg = "SSL certificate validation failed - Hostname mismatch";
+                        if(_verifyPeer == 0)
+                        {
+                            msg += " (ignored)";
+                        }
+                        _instance.logger().trace(_instance.securityTraceCategory(), msg);
+                    }
+
+                    if(_verifyPeer > 0)
+                    {
+                        return false;
+                    }
+                    else
+                    {
+                        errors ^= (int)SslPolicyErrors.RemoteCertificateNameMismatch;
                     }
-                    return false;
                 }
                 else
                 {
                     errors ^= (int)SslPolicyErrors.RemoteCertificateNameMismatch;
+                    certificateNameMismatch = false;
                 }
             }
 
@@ -633,7 +647,7 @@ namespace IceSSL
                         }
                         else
                         {
-                            _verified = true;
+                            _verified = !certificateNameMismatch;
                         }
                     }
                     else if(status.Status == X509ChainStatusFlags.Revoked)
author	Jose <pepone@users.noreply.github.com>	2019-09-10 10:29:11 +0200
committer	GitHub <noreply@github.com>	2019-09-10 10:29:11 +0200
commit	bad1d435dfba9b103bfe76555506757beda5c4df (patch)
tree	f4a8dd87308ee80781f9b39ffabd95cee9e1ef69 /csharp/src
parent	Whitespace fixes (diff)
download	ice-bad1d435dfba9b103bfe76555506757beda5c4df.tar.bz2 ice-bad1d435dfba9b103bfe76555506757beda5c4df.tar.xz ice-bad1d435dfba9b103bfe76555506757beda5c4df.zip