subversion-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From svn-r...@apache.org
Subject svn commit: r1615204 - in /subversion/branches/1.8.x: ./ STATUS subversion/libsvn_ra_serf/util.c
Date Fri, 01 Aug 2014 18:59:36 GMT
Author: svn-role
Date: Fri Aug  1 18:59:36 2014
New Revision: 1615204

URL: http://svn.apache.org/r1615204
Log:
Merge the r1565531 group from trunk:

 * r1565531, r1566503, r1568349, r1568361
   Ignore the CommonName in SSL certs when there are Subject Alt Names.
   Justification:
     Comply with RFC 2818.
   Votes:
     +1: breser, stefan2, ivan

Modified:
    subversion/branches/1.8.x/   (props changed)
    subversion/branches/1.8.x/STATUS
    subversion/branches/1.8.x/subversion/libsvn_ra_serf/util.c

Propchange: subversion/branches/1.8.x/
------------------------------------------------------------------------------
  Merged /subversion/trunk:r1565531,1566503,1568349,1568361

Modified: subversion/branches/1.8.x/STATUS
URL: http://svn.apache.org/viewvc/subversion/branches/1.8.x/STATUS?rev=1615204&r1=1615203&r2=1615204&view=diff
==============================================================================
--- subversion/branches/1.8.x/STATUS (original)
+++ subversion/branches/1.8.x/STATUS Fri Aug  1 18:59:36 2014
@@ -188,10 +188,3 @@ Veto-blocked changes:
 
 Approved changes:
 =================
-
- * r1565531, r1566503, r1568349, r1568361
-   Ignore the CommonName in SSL certs when there are Subject Alt Names.
-   Justification:
-     Comply with RFC 2818.
-   Votes:
-     +1: breser, stefan2, ivan

Modified: subversion/branches/1.8.x/subversion/libsvn_ra_serf/util.c
URL: http://svn.apache.org/viewvc/subversion/branches/1.8.x/subversion/libsvn_ra_serf/util.c?rev=1615204&r1=1615203&r2=1615204&view=diff
==============================================================================
--- subversion/branches/1.8.x/subversion/libsvn_ra_serf/util.c (original)
+++ subversion/branches/1.8.x/subversion/libsvn_ra_serf/util.c Fri Aug  1 18:59:36 2014
@@ -274,7 +274,6 @@ ssl_server_cert(void *baton, int failure
   apr_hash_t *subject = NULL;
   apr_hash_t *serf_cert = NULL;
   void *creds;
-  int found_matching_hostname = 0;
 
   svn_failures = (ssl_convert_serf_failures(failures)
       | conn->server_cert_failures);
@@ -286,26 +285,36 @@ ssl_server_cert(void *baton, int failure
       ### This should really be handled by serf, which should pass an error
           for this case, but that has backwards compatibility issues. */
       apr_array_header_t *san;
+      svn_boolean_t found_san_entry = FALSE;
+      svn_boolean_t found_matching_hostname = FALSE;
 
       serf_cert = serf_ssl_cert_certificate(cert, scratch_pool);
 
       san = svn_hash_gets(serf_cert, "subjectAltName");
       /* Try to find matching server name via subjectAltName first... */
-      if (san) {
+      if (san)
+        {
           int i;
-          for (i = 0; i < san->nelts; i++) {
+          found_san_entry = san->nelts > 0;
+          for (i = 0; i < san->nelts; i++)
+            {
               const char *s = APR_ARRAY_IDX(san, i, const char*);
-              if (apr_fnmatch(s, conn->session->session_url.hostname,
-                  APR_FNM_PERIOD | APR_FNM_CASE_BLIND) == APR_SUCCESS)
-              {
-                  found_matching_hostname = 1;
+              if (APR_SUCCESS == apr_fnmatch(s,
+                                            conn->session->session_url.hostname,
+                                            APR_FNM_PERIOD |
+                                            APR_FNM_CASE_BLIND))
+                {
+                  found_matching_hostname = TRUE;
                   break;
-              }
-          }
-      }
+                }
+            }
+        }
 
-      /* Match server certificate CN with the hostname of the server */
-      if (!found_matching_hostname)
+      /* Match server certificate CN with the hostname of the server iff
+       * we didn't find any subjectAltName fields and try to match them.
+       * Per RFC 2818 they are authoritative if present and CommonName
+       * should be ignored. */
+      if (!found_matching_hostname && !found_san_entry)
         {
           const char *hostname = NULL;
 
@@ -314,13 +323,16 @@ ssl_server_cert(void *baton, int failure
           if (subject)
             hostname = svn_hash_gets(subject, "CN");
 
-          if (!hostname
-              || apr_fnmatch(hostname, conn->session->session_url.hostname,
-                             APR_FNM_PERIOD | APR_FNM_CASE_BLIND) != APR_SUCCESS)
-          {
-              svn_failures |= SVN_AUTH_SSL_CNMISMATCH;
-          }
-      }
+          if (hostname
+              && apr_fnmatch(hostname, conn->session->session_url.hostname,
+                             APR_FNM_PERIOD | APR_FNM_CASE_BLIND) == APR_SUCCESS)
+            {
+              found_matching_hostname = TRUE;
+            }
+        }
+
+      if (!found_matching_hostname)
+        svn_failures |= SVN_AUTH_SSL_CNMISMATCH;
     }
 
   if (!svn_failures)



Mime
View raw message