ssl: Extend hostname check to fallback to checking IP-address

If no SNI is available and the hostname is an IP-address also check for IP-address match. This check is not as good as a DNS hostname check and certificates using IP-address are not recommended.
author: Ingela Anderton Andin <[email protected]> 2017-10-06 17:24:16 +0200
committer: Ingela Anderton Andin <[email protected]> 2017-10-13 11:35:39 +0200
commit: 0bb96516ce308b6fb837696338b492d3c9a9f429 (patch)
tree: 4daf04a9d86159bf803db457eda16c4199992afa /lib/ssl/src/ssl_certificate.erl
parent: 4f4bf872831b12cac8913e8a62e35725d0173b0d (diff)
download: otp-0bb96516ce308b6fb837696338b492d3c9a9f429.tar.gz
otp-0bb96516ce308b6fb837696338b492d3c9a9f429.tar.bz2
otp-0bb96516ce308b6fb837696338b492d3c9a9f429.zip
1 files changed, 31 insertions, 7 deletions
diff --git a/lib/ssl/src/ssl_certificate.erl b/lib/ssl/src/ssl_certificate.erl
index 0dd5e5c5cf..a3333d35e9 100644
--- a/lib/ssl/src/ssl_certificate.erl
+++ b/lib/ssl/src/ssl_certificate.erl
@@ -138,13 +138,8 @@ validate(_, {bad_cert, _} = Reason, _) ->
     {fail, Reason};
 validate(_, valid, UserState) ->
     {valid, UserState};
-validate(Cert, valid_peer, UserState = {client, _,_, Hostname, _, _}) when Hostname =/= undefined ->
-    case public_key:pkix_verify_hostname(Cert, [{dns_id, Hostname}]) of
-        true ->
-            {valid, UserState};
-        false ->
-            {fail, {bad_cert, hostname_check_failed}}
-    end;
+validate(Cert, valid_peer, UserState = {client, _,_, Hostname, _, _}) when Hostname =/= disable ->
+    verify_hostname(Hostname, Cert, UserState);  
 validate(_, valid_peer, UserState) ->    
    {valid, UserState}.
 
@@ -337,3 +332,32 @@ new_trusteded_chain(DerCert, [_ | Rest]) ->
     new_trusteded_chain(DerCert, Rest);
 new_trusteded_chain(_, []) ->
     unknown_ca.
+
+verify_hostname({fallback, Hostname}, Cert, UserState) when is_list(Hostname) ->
+    case public_key:pkix_verify_hostname(Cert, [{dns_id, Hostname}]) of
+        true ->
+            {valid, UserState};
+        false ->
+            case public_key:pkix_verify_hostname(Cert, [{ip, Hostname}]) of
+                true ->
+                    {valid, UserState};
+                false ->
+                    {fail, {bad_cert, hostname_check_failed}}
+            end
+    end;
+
+verify_hostname({fallback, Hostname}, Cert, UserState) ->
+    case public_key:pkix_verify_hostname(Cert, [{ip, Hostname}]) of
+        true ->
+            {valid, UserState};
+        false ->
+            {fail, {bad_cert, hostname_check_failed}}
+    end;
+
+verify_hostname(Hostname, Cert, UserState) ->
+    case public_key:pkix_verify_hostname(Cert, [{dns_id, Hostname}]) of
+        true ->
+            {valid, UserState};
+        false ->
+            {fail, {bad_cert, hostname_check_failed}}
+    end.
author	Ingela Anderton Andin <[email protected]>	2017-10-06 17:24:16 +0200
committer	Ingela Anderton Andin <[email protected]>	2017-10-13 11:35:39 +0200
commit	0bb96516ce308b6fb837696338b492d3c9a9f429 (patch)
tree	4daf04a9d86159bf803db457eda16c4199992afa /lib/ssl/src/ssl_certificate.erl
parent	4f4bf872831b12cac8913e8a62e35725d0173b0d (diff)
download	otp-0bb96516ce308b6fb837696338b492d3c9a9f429.tar.gz otp-0bb96516ce308b6fb837696338b492d3c9a9f429.tar.bz2 otp-0bb96516ce308b6fb837696338b492d3c9a9f429.zip