summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--cpp/src/IceSSL/SSLEngine.cpp10
-rw-r--r--cpp/test/IceSSL/configuration/AllTests.cpp49
-rw-r--r--csharp/src/IceSSL/TransceiverI.cs5
-rw-r--r--csharp/test/IceSSL/configuration/AllTests.cs26
-rw-r--r--java-compat/src/Ice/src/main/java/IceSSL/SSLEngine.java22
-rw-r--r--java-compat/test/src/main/java/test/IceSSL/configuration/AllTests.java51
-rw-r--r--java/src/Ice/src/main/java/com/zeroc/IceSSL/SSLEngine.java22
-rw-r--r--java/test/src/main/java/test/IceSSL/configuration/AllTests.java51
8 files changed, 212 insertions, 24 deletions
diff --git a/cpp/src/IceSSL/SSLEngine.cpp b/cpp/src/IceSSL/SSLEngine.cpp
index 3ee453925e9..355b8fad16f 100644
--- a/cpp/src/IceSSL/SSLEngine.cpp
+++ b/cpp/src/IceSSL/SSLEngine.cpp
@@ -210,9 +210,13 @@ IceSSL::SSLEngine::verifyPeer(const string& address, const NativeConnectionInfoP
Trace out(_logger, _securityTraceCategory);
out << msg;
}
- SecurityException ex(__FILE__, __LINE__);
- ex.reason = msg;
- throw ex;
+
+ if(_verifyPeer > 0)
+ {
+ SecurityException ex(__FILE__, __LINE__);
+ ex.reason = msg;
+ throw ex;
+ }
}
}
#endif
diff --git a/cpp/test/IceSSL/configuration/AllTests.cpp b/cpp/test/IceSSL/configuration/AllTests.cpp
index 95214c79a20..5a52b3f682e 100644
--- a/cpp/test/IceSSL/configuration/AllTests.cpp
+++ b/cpp/test/IceSSL/configuration/AllTests.cpp
@@ -1386,6 +1386,55 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool p12)
#endif
fact->destroyServer(server);
comm->destroy();
+
+ //
+ // Target host does not match the certificate DNS altName, connection should succeed
+ // because IceSSL.VerifyPeer is set to 0.
+ //
+ initData.properties = createClientProps(defaultProps, p12, "c_rsa_ca1", "cacert1");
+ initData.properties->setProperty("IceSSL.CheckCertName", "1");
+ initData.properties->setProperty("IceSSL.VerifyPeer", "0");
+ comm = initialize(initData);
+
+ fact = ICE_CHECKED_CAST(Test::ServerFactoryPrx, comm->stringToProxy(factoryRef));
+ test(fact);
+ d = createServerProps(props, p12, "s_rsa_ca1_cn2", "cacert1");
+ server = fact->createServer(d);
+ try
+ {
+ server->ice_ping();
+ }
+ catch(const Ice::LocalException&)
+ {
+ test(false);
+ }
+
+ fact->destroyServer(server);
+ comm->destroy();
+
+ //
+ // Target host does not match the certificate DNS altName, connection should succeed
+ // because IceSSL.CheckCertName is set to 0.
+ //
+ initData.properties = createClientProps(defaultProps, p12, "c_rsa_ca1", "cacert1");
+ initData.properties->setProperty("IceSSL.CheckCertName", "0");
+ comm = initialize(initData);
+
+ fact = ICE_CHECKED_CAST(Test::ServerFactoryPrx, comm->stringToProxy(factoryRef));
+ test(fact);
+ d = createServerProps(props, p12, "s_rsa_ca1_cn2", "cacert1");
+ server = fact->createServer(d);
+ try
+ {
+ server->ice_ping();
+ }
+ catch(const Ice::LocalException&)
+ {
+ test(false);
+ }
+
+ fact->destroyServer(server);
+ comm->destroy();
}
}
cout << "ok" << endl;
diff --git a/csharp/src/IceSSL/TransceiverI.cs b/csharp/src/IceSSL/TransceiverI.cs
index 0dbf195c515..f46396bd9a2 100644
--- a/csharp/src/IceSSL/TransceiverI.cs
+++ b/csharp/src/IceSSL/TransceiverI.cs
@@ -610,9 +610,12 @@ namespace IceSSL
message = "SSL certificate validation failed - Hostname mismatch";
return false;
}
+ else
+ {
+ errors ^= (int)SslPolicyErrors.RemoteCertificateNameMismatch;
+ }
}
-
if((errors & (int)SslPolicyErrors.RemoteCertificateChainErrors) > 0 &&
_chain.ChainStatus != null && _chain.ChainStatus.Length > 0)
{
diff --git a/csharp/test/IceSSL/configuration/AllTests.cs b/csharp/test/IceSSL/configuration/AllTests.cs
index b02a6cec16c..f275492b0ad 100644
--- a/csharp/test/IceSSL/configuration/AllTests.cs
+++ b/csharp/test/IceSSL/configuration/AllTests.cs
@@ -759,6 +759,32 @@ public class AllTests
fact.destroyServer(server);
comm.destroy();
}
+
+ //
+ // Target host does not match the certificate DNS altName, connection should succeed
+ // because IceSSL.CheckCertName is set to 0.
+ //
+ {
+ initData = createClientProps(defaultProperties, "c_rsa_ca1", "cacert1");
+ initData.properties.setProperty("IceSSL.CheckCertName", "0");
+ comm = Ice.Util.initialize(ref args, initData);
+
+ fact = Test.ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef));
+ test(fact != null);
+ d = createServerProps(props, "s_rsa_ca1_cn2", "cacert1");
+ d["IceSSL.CheckCertName"] = "1";
+ server = fact.createServer(d);
+ try
+ {
+ server.ice_ping();
+ }
+ catch(Ice.LocalException)
+ {
+ test(false);
+ }
+ fact.destroyServer(server);
+ comm.destroy();
+ }
}
}
Console.Out.WriteLine("ok");
diff --git a/java-compat/src/Ice/src/main/java/IceSSL/SSLEngine.java b/java-compat/src/Ice/src/main/java/IceSSL/SSLEngine.java
index 6cc00355c3d..b20a7451e00 100644
--- a/java-compat/src/Ice/src/main/java/IceSSL/SSLEngine.java
+++ b/java-compat/src/Ice/src/main/java/IceSSL/SSLEngine.java
@@ -791,16 +791,6 @@ class SSLEngine
}
engine.setUseClientMode(!incoming);
- //
- // Enable the HTTPS hostname verification algorithm
- //
- if(_checkCertName)
- {
- SSLParameters params = new SSLParameters();
- params.setEndpointIdentificationAlgorithm("HTTPS");
- engine.setSSLParameters(params);
- }
-
String[] cipherSuites = filterCiphers(engine.getSupportedCipherSuites(), engine.getEnabledCipherSuites());
try
{
@@ -863,6 +853,18 @@ class SSLEngine
engine.setNeedClientAuth(true);
}
}
+ else
+ {
+ //
+ // Enable the HTTPS hostname verification algorithm
+ //
+ if(_checkCertName && _verifyPeer > 0)
+ {
+ SSLParameters params = new SSLParameters();
+ params.setEndpointIdentificationAlgorithm("HTTPS");
+ engine.setSSLParameters(params);
+ }
+ }
try
{
diff --git a/java-compat/test/src/main/java/test/IceSSL/configuration/AllTests.java b/java-compat/test/src/main/java/test/IceSSL/configuration/AllTests.java
index 1ce41753de6..e814b868807 100644
--- a/java-compat/test/src/main/java/test/IceSSL/configuration/AllTests.java
+++ b/java-compat/test/src/main/java/test/IceSSL/configuration/AllTests.java
@@ -717,6 +717,57 @@ public class AllTests
fact.destroyServer(server);
comm.destroy();
}
+
+ //
+ // Target host does not match the certificate DNS altName, connection should succeed
+ // because IceSSL.VerifyPeer is set to 0.
+ //
+ {
+ initData = createClientProps(defaultProperties, defaultDir, "localhost", "c_rsa_ca1", "cacert1");
+ initData.properties.setProperty("IceSSL.CheckCertName", "1");
+ initData.properties.setProperty("IceSSL.VerifyPeer", "0");
+ comm = Ice.Util.initialize(args, initData);
+
+ fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef));
+ test(fact != null);
+ d = createServerProps(defaultProperties, defaultDir, "localhost", "s_rsa_ca1_cn2", "cacert1");
+ server = fact.createServer(d);
+ try
+ {
+ server.ice_ping();
+ }
+ catch(Ice.LocalException ex)
+ {
+ test(false);
+ }
+ fact.destroyServer(server);
+ comm.destroy();
+ }
+
+ //
+ // Target host does not match the certificate DNS altName, connection should succeed
+ // because IceSSL.CheckCertName is set to 0.
+ //
+ {
+ initData = createClientProps(defaultProperties, defaultDir, "localhost", "c_rsa_ca1", "cacert1");
+ initData.properties.setProperty("IceSSL.CheckCertName", "0");
+ comm = Ice.Util.initialize(args, initData);
+
+ fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef));
+ test(fact != null);
+ d = createServerProps(defaultProperties, defaultDir, "localhost", "s_rsa_ca1_cn2", "cacert1");
+ server = fact.createServer(d);
+ try
+ {
+ server.ice_ping();
+ }
+ catch(Ice.LocalException ex)
+ {
+ test(false);
+ }
+ fact.destroyServer(server);
+ comm.destroy();
+ }
}
}
out.println("ok");
diff --git a/java/src/Ice/src/main/java/com/zeroc/IceSSL/SSLEngine.java b/java/src/Ice/src/main/java/com/zeroc/IceSSL/SSLEngine.java
index 001d3a24f76..019f7742508 100644
--- a/java/src/Ice/src/main/java/com/zeroc/IceSSL/SSLEngine.java
+++ b/java/src/Ice/src/main/java/com/zeroc/IceSSL/SSLEngine.java
@@ -797,16 +797,6 @@ class SSLEngine
}
engine.setUseClientMode(!incoming);
- //
- // Enable the HTTPS hostname verification algorithm
- //
- if(_checkCertName)
- {
- SSLParameters params = new SSLParameters();
- params.setEndpointIdentificationAlgorithm("HTTPS");
- engine.setSSLParameters(params);
- }
-
String[] cipherSuites = filterCiphers(engine.getSupportedCipherSuites(), engine.getEnabledCipherSuites());
try
{
@@ -869,6 +859,18 @@ class SSLEngine
engine.setNeedClientAuth(true);
}
}
+ else
+ {
+ //
+ // Enable the HTTPS hostname verification algorithm
+ //
+ if(_checkCertName && _verifyPeer > 0)
+ {
+ SSLParameters params = new SSLParameters();
+ params.setEndpointIdentificationAlgorithm("HTTPS");
+ engine.setSSLParameters(params);
+ }
+ }
try
{
diff --git a/java/test/src/main/java/test/IceSSL/configuration/AllTests.java b/java/test/src/main/java/test/IceSSL/configuration/AllTests.java
index 4279307e2de..6fe3db303fa 100644
--- a/java/test/src/main/java/test/IceSSL/configuration/AllTests.java
+++ b/java/test/src/main/java/test/IceSSL/configuration/AllTests.java
@@ -715,6 +715,57 @@ public class AllTests
fact.destroyServer(server);
comm.destroy();
}
+
+ //
+ // Target host does not match the certificate DNS altName, connection should succeed
+ // because IceSSL.VerifyPeer is set to 0.
+ //
+ {
+ initData = createClientProps(defaultProperties, "c_rsa_ca1", "cacert1");
+ initData.properties.setProperty("IceSSL.CheckCertName", "1");
+ initData.properties.setProperty("IceSSL.VerifyPeer", "0");
+ comm = Util.initialize(args, initData);
+
+ fact = ServerFactoryPrx.checkedCast(comm.stringToProxy(factoryRef));
+ test(fact != null);
+ d = createServerProps(props, "s_rsa_ca1_cn2", "cacert1");
+ server = fact.createServer(d);
+ try
+ {
+ server.ice_ping();
+ }
+ catch(com.zeroc.Ice.LocalException ex)
+ {
+ test(false);
+ }
+ fact.destroyServer(server);
+ comm.destroy();
+ }
+
+ //
+ // Target host does not match the certificate DNS altName, connection should succeed
+ // because IceSSL.CheckCertName is set to 0.
+ //
+ {
+ initData = createClientProps(defaultProperties, "c_rsa_ca1", "cacert1");
+ initData.properties.setProperty("IceSSL.CheckCertName", "0");
+ comm = Util.initialize(args, initData);
+
+ fact = ServerFactoryPrx.checkedCast(comm.stringToProxy(factoryRef));
+ test(fact != null);
+ d = createServerProps(props, "s_rsa_ca1_cn2", "cacert1");
+ server = fact.createServer(d);
+ try
+ {
+ server.ice_ping();
+ }
+ catch(com.zeroc.Ice.LocalException ex)
+ {
+ test(false);
+ }
+ fact.destroyServer(server);
+ comm.destroy();
+ }
}
}
out.println("ok");
generated by cgit v1.2.3 (git 2.46.0) at 2025-08-03 23:06:40 +0000