From e1c57ca35b43e6d85749be1f44bdfa4a5359d4e5 Mon Sep 17 00:00:00 2001 From: Patrick McDermott Date: Sat, 03 Aug 2019 18:39:28 -0400 Subject: s_client: Use wolfSSL DN check code, not extra API And drop --enable-opensslextra option recommendation in README. Also, check SNI name, not host name. --- diff --git a/README b/README index 060be30..d20ccb9 100644 --- a/README +++ b/README @@ -16,7 +16,6 @@ Building wolfSSL with the following configuration options (keeping other defaults) is recommended for wolfssl-util to perform as a strong modern TLS implementation: - --enable-opensslextra --enable-maxstrength --disable-aescbc --disable-oldtls diff --git a/src/s_client.c b/src/s_client.c index 0cd77ca..cdf3df3 100644 --- a/src/s_client.c +++ b/src/s_client.c @@ -287,9 +287,6 @@ s_client(int argc, char **argv) int sfd = -1; int err; char buf[WOLFSSL_MAX_ERROR_SZ]; -#ifdef OPENSSL_EXTRA - WOLFSSL_X509 *cert; -#endif for (; argc > 0; --argc, ++argv) { if (strcmp(*argv, "-quiet") == 0) { @@ -324,7 +321,6 @@ s_client(int argc, char **argv) } #endif - (void) servername; if ( #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 wolfSSL_CTX_EnableOCSPStapling(ctx) != WOLFSSL_SUCCESS @@ -353,7 +349,10 @@ s_client(int argc, char **argv) #ifdef HAVE_SUPPORTED_CURVES use_curves(ctx) == false || #endif - (ssl = wolfSSL_new(ctx)) == NULL) { + (ssl = wolfSSL_new(ctx)) == NULL || + wolfSSL_check_domain_name(ssl, servername) != + WOLFSSL_SUCCESS + ) { fputs("Out of memory\n", stderr); goto error; } @@ -371,19 +370,6 @@ s_client(int argc, char **argv) goto error; } -#ifdef OPENSSL_EXTRA - cert = wolfSSL_get_peer_certificate(ssl); - if (cert == NULL) { - fputs("Failed to get certificate\n", stderr); - goto error; - } - if (wolfSSL_X509_check_host(cert, host, strlen(host), 0, NULL) != - WOLFSSL_SUCCESS) { - fputs("Domain name mismatch\n", stderr); - goto error; - } -#endif /* OPENSSL_EXTRA */ - if (poll_fds(sfd, ssl) == false) { goto error; } -- cgit v0.9.1