Merge branch 'ingela/ssl/extend-hostname-check/OTP-14632/OTP-14655' into maint

* ingela/ssl/extend-hostname-check/OTP-14632/OTP-14655: ssl: Fix test cases to work on all test platforms public_key: Fix dialyzer spec ssl: Sessions must be registered with SNI if exists ssl: Extend hostname check to fallback to checking IP-address public_key, ssl: Handles keys so that APIs are preserved correctly
author: Ingela Anderton Andin <[email protected]> 2017-10-17 16:21:15 +0200
committer: Ingela Anderton Andin <[email protected]> 2017-10-17 16:21:15 +0200
commit: 290c920aca365968ebaa10a63e25fd2579bce408 (patch)
tree: 42b697cfa0b502741758865f38eed4ed2941fbb4 /lib/ssl/src/ssl_certificate.erl
parent: 82489e794c015742f8879438394fa8a2f4c6fd1b (diff)
parent: 7d05f57c2182626aaaee4a7c164d4bb6a7b9e38c (diff)
download: otp-290c920aca365968ebaa10a63e25fd2579bce408.tar.gz
otp-290c920aca365968ebaa10a63e25fd2579bce408.tar.bz2
otp-290c920aca365968ebaa10a63e25fd2579bce408.zip
1 files changed, 31 insertions, 7 deletions
diff --git a/lib/ssl/src/ssl_certificate.erl b/lib/ssl/src/ssl_certificate.erl
index 0dd5e5c5cf..a3333d35e9 100644
--- a/lib/ssl/src/ssl_certificate.erl
+++ b/lib/ssl/src/ssl_certificate.erl
@@ -138,13 +138,8 @@ validate(_, {bad_cert, _} = Reason, _) ->
     {fail, Reason};
 validate(_, valid, UserState) ->
     {valid, UserState};
-validate(Cert, valid_peer, UserState = {client, _,_, Hostname, _, _}) when Hostname =/= undefined ->
-    case public_key:pkix_verify_hostname(Cert, [{dns_id, Hostname}]) of
-        true ->
-            {valid, UserState};
-        false ->
-            {fail, {bad_cert, hostname_check_failed}}
-    end;
+validate(Cert, valid_peer, UserState = {client, _,_, Hostname, _, _}) when Hostname =/= disable ->
+    verify_hostname(Hostname, Cert, UserState);  
 validate(_, valid_peer, UserState) ->    
    {valid, UserState}.
 
@@ -337,3 +332,32 @@ new_trusteded_chain(DerCert, [_ | Rest]) ->
     new_trusteded_chain(DerCert, Rest);
 new_trusteded_chain(_, []) ->
     unknown_ca.
+
+verify_hostname({fallback, Hostname}, Cert, UserState) when is_list(Hostname) ->
+    case public_key:pkix_verify_hostname(Cert, [{dns_id, Hostname}]) of
+        true ->
+            {valid, UserState};
+        false ->
+            case public_key:pkix_verify_hostname(Cert, [{ip, Hostname}]) of
+                true ->
+                    {valid, UserState};
+                false ->
+                    {fail, {bad_cert, hostname_check_failed}}
+            end
+    end;
+
+verify_hostname({fallback, Hostname}, Cert, UserState) ->
+    case public_key:pkix_verify_hostname(Cert, [{ip, Hostname}]) of
+        true ->
+            {valid, UserState};
+        false ->
+            {fail, {bad_cert, hostname_check_failed}}
+    end;
+
+verify_hostname(Hostname, Cert, UserState) ->
+    case public_key:pkix_verify_hostname(Cert, [{dns_id, Hostname}]) of
+        true ->
+            {valid, UserState};
+        false ->
+            {fail, {bad_cert, hostname_check_failed}}
+    end.
author	Ingela Anderton Andin <[email protected]>	2017-10-17 16:21:15 +0200
committer	Ingela Anderton Andin <[email protected]>	2017-10-17 16:21:15 +0200
commit	290c920aca365968ebaa10a63e25fd2579bce408 (patch)
tree	42b697cfa0b502741758865f38eed4ed2941fbb4 /lib/ssl/src/ssl_certificate.erl
parent	82489e794c015742f8879438394fa8a2f4c6fd1b (diff)
parent	7d05f57c2182626aaaee4a7c164d4bb6a7b9e38c (diff)
download	otp-290c920aca365968ebaa10a63e25fd2579bce408.tar.gz otp-290c920aca365968ebaa10a63e25fd2579bce408.tar.bz2 otp-290c920aca365968ebaa10a63e25fd2579bce408.zip