From: Alexander Barton <alex@barton.de>
Date: Mon, 1 Jan 2024 18:58:35 +0000 (+0100)
Subject: S2S-TLS/OpenSSL: Always setup host name verification
X-Git-Tag: rel-27-rc1~33
X-Git-Url: https://arthur.barton.de/cgi-bin/gitweb.cgi?p=ngircd-alex.git;a=commitdiff_plain;h=84b019b11f761b71c8239d60e7f8db0b82a55df3

S2S-TLS/OpenSSL: Always setup host name verification

Setup host name verification even when the "SSLVerify" option is
disabled, because even then the peer can present a valid certificate and
validation would always(!) fail because of the missing host name
verification setup.
---

diff --git a/src/ngircd/conn-ssl.c b/src/ngircd/conn-ssl.c
index dcd21def..ce4e27c1 100644
--- a/src/ngircd/conn-ssl.c
+++ b/src/ngircd/conn-ssl.c
@@ -748,25 +748,27 @@ ConnSSL_PrepareConnect(CONNECTION * c, CONF_SERVER * s)
 	if (!ret)
 		return false;
 	Conn_OPTION_ADD(c, CONN_SSL_CONNECT);
+
 #ifdef HAVE_LIBSSL
 	assert(c->ssl_state.ssl);
-	if (s->SSLVerify) {
-		X509_VERIFY_PARAM *param = NULL;
-		param = SSL_get0_param(c->ssl_state.ssl);
-		X509_VERIFY_PARAM_set_hostflags(param,
-						X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
-		int err = X509_VERIFY_PARAM_set1_host(param, s->host, 0);
-		if (err != 1) {
-			Log(LOG_ERR,
-			    "Cannot set up hostname verification for '%s': %u",
-			    s->host, err);
-			return false;
-		}
+
+	X509_VERIFY_PARAM *param = SSL_get0_param(c->ssl_state.ssl);
+	X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
+	int err = X509_VERIFY_PARAM_set1_host(param, s->host, 0);
+	if (err != 1) {
+		Log(LOG_ERR,
+		    "Cannot set up hostname verification for '%s': %u",
+		    s->host, err);
+		return false;
+	}
+
+	if (s->SSLVerify)
 		SSL_set_verify(c->ssl_state.ssl, SSL_VERIFY_PEER,
 			       Verify_openssl);
-	} else
+	else
 		SSL_set_verify(c->ssl_state.ssl, SSL_VERIFY_NONE, NULL);
 #endif
+
 	return true;
 }