diff options
| -rw-r--r-- | cpp/src/IceSSL/UWPTransceiverI.cpp | 22 | ||||
| -rw-r--r-- | csharp/src/IceSSL/TransceiverI.cs | 8 | ||||
| -rw-r--r-- | java-compat/src/Ice/src/main/java/IceSSL/SSLEngine.java | 2 | ||||
| -rw-r--r-- | java/src/Ice/src/main/java/com/zeroc/IceSSL/SSLEngine.java | 2 |
4 files changed, 28 insertions, 6 deletions
diff --git a/cpp/src/IceSSL/UWPTransceiverI.cpp b/cpp/src/IceSSL/UWPTransceiverI.cpp index ca4bdc46afc..1f6eb168cd0 100644 --- a/cpp/src/IceSSL/UWPTransceiverI.cpp +++ b/cpp/src/IceSSL/UWPTransceiverI.cpp @@ -255,7 +255,10 @@ IceSSL::TransceiverI::startWrite(IceInternal::Buffer& buf) // stream->Control->IgnorableServerCertificateErrors->Append(ChainValidationResult::Expired); stream->Control->IgnorableServerCertificateErrors->Append(ChainValidationResult::IncompleteChain); - if(!_engine->getCheckCertName()) + // + // Check if we need to enable host name verification + // + if(!_engine->getCheckCertName() || _host.empty()) { stream->Control->IgnorableServerCertificateErrors->Append(ChainValidationResult::InvalidName); } @@ -293,7 +296,22 @@ IceSSL::TransceiverI::finishWrite(IceInternal::Buffer& buf) { if(CERT_E_CN_NO_MATCH == asyncInfo->error) { - throw SecurityException(__FILE__, __LINE__, "Hostname mismatch"); + ostringstream ostr; + ostr << "IceSSL: certificate validation failure: " + << (IceInternal::isIpAddress(_host) ? "IP address mismatch" : "Hostname mismatch"); + string msg = ostr.str(); + if(_engine->securityTraceLevel() >= 1) + { + Trace out(_logger, _securityTraceCategory); + out << msg; + } + + if(_engine->getVerifyPeer() > 0) + { + SecurityException ex(__FILE__, __LINE__); + ex.reason = msg; + throw ex; + } } IceInternal::checkErrorCode(__FILE__, __LINE__, asyncInfo->error); } diff --git a/csharp/src/IceSSL/TransceiverI.cs b/csharp/src/IceSSL/TransceiverI.cs index f46396bd9a2..ea026ef098a 100644 --- a/csharp/src/IceSSL/TransceiverI.cs +++ b/csharp/src/IceSSL/TransceiverI.cs @@ -605,9 +605,13 @@ namespace IceSSL if((errors & (int)SslPolicyErrors.RemoteCertificateNameMismatch) > 0) { - if(_instance.engine().getCheckCertName()) + if(_instance.engine().getCheckCertName() && !string.IsNullOrEmpty(_host)) { - message = "SSL certificate validation failed - Hostname mismatch"; + if(_instance.securityTraceLevel() >= 1) + { + _instance.logger().trace(_instance.securityTraceCategory(), + "SSL certificate validation failed - Hostname mismatch"); + } return false; } else diff --git a/java-compat/src/Ice/src/main/java/IceSSL/SSLEngine.java b/java-compat/src/Ice/src/main/java/IceSSL/SSLEngine.java index b20a7451e00..d2ca48c2fa4 100644 --- a/java-compat/src/Ice/src/main/java/IceSSL/SSLEngine.java +++ b/java-compat/src/Ice/src/main/java/IceSSL/SSLEngine.java @@ -858,7 +858,7 @@ class SSLEngine // // Enable the HTTPS hostname verification algorithm // - if(_checkCertName && _verifyPeer > 0) + if(_checkCertName && _verifyPeer > 0 && host != null) { SSLParameters params = new SSLParameters(); params.setEndpointIdentificationAlgorithm("HTTPS"); diff --git a/java/src/Ice/src/main/java/com/zeroc/IceSSL/SSLEngine.java b/java/src/Ice/src/main/java/com/zeroc/IceSSL/SSLEngine.java index 019f7742508..048c63c081e 100644 --- a/java/src/Ice/src/main/java/com/zeroc/IceSSL/SSLEngine.java +++ b/java/src/Ice/src/main/java/com/zeroc/IceSSL/SSLEngine.java @@ -864,7 +864,7 @@ class SSLEngine // // Enable the HTTPS hostname verification algorithm // - if(_checkCertName && _verifyPeer > 0) + if(_checkCertName && _verifyPeer > 0 && host != null) { SSLParameters params = new SSLParameters(); params.setEndpointIdentificationAlgorithm("HTTPS"); |