Enable hostname validation for server certificates

Without this setting, OpenSSL would only validate that the certificate has a valid signature from a trusted CA, but not that it actually matches the host to whom we were trying to connect.
tenzir · Feb 3, 2023 · 7703f97 · 7703f97
1 parent cae5ef3
commit 7703f97
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/libcaf_openssl/src/openssl/session.cpp b/libcaf_openssl/src/openssl/session.cpp
@@ -159,6 +159,13 @@ bool session::try_connect(native_socket fd, const std::string& sni_servername) {
   CAF_BLOCK_SIGPIPE();
   SSL_set_fd(ssl_, fd);
   SSL_set_connect_state(ssl_);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+  // Enable hostname validation.
+  SSL_set_hostflags(ssl_, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
+  if (SSL_set1_host(ssl_, sni_servername.c_str()) != 1)
+    return false;
+#endif
+  // Send SNI when connecting.
   SSL_set_tlsext_host_name(ssl_, sni_servername.c_str());
   auto ret = SSL_connect(ssl_);
   if (ret == 1)