Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use additional OpensslCredentials_t parameter for hostname checking. #1819

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Use additional OpensslCredentials_t parameter for hostname checking. #1819

wants to merge 3 commits into from

Conversation

archigup
Copy link
Member

@archigup archigup commented Oct 6, 2022

This will allow demos to disable hostname checking, allowing them to be used with Greengrass or other endpoints that do not have the hostname in their certificate subject.

By submitting this pull request, I confirm that my contribution is made under the terms of the MIT license.

@archigup archigup requested a review from a team as a code owner October 6, 2022 21:52
@archigup
Remove useless check for valid certificate
cd1b87b 
If certificate check fails, SSL_Connect will fail, thus the removed code will
not run. It would only runs when successful. That function is meant to check the
error code when there is a certificate validation issue.

SSL_get_verify_result is being used incorrectly here; it is intended to get
the validation error reason when SSL_Connect fails, and that failure is due to
an invalid certificate.
@archigup
Allow disabling of server cert hostname check
dff1232
paulbartell
paulbartell reviewed Oct 31, 2022
View reviewed changes
platform/posix/transport/src/openssl_posix.c
sslStatus = SSL_set1_host( pOpensslParams->pSsl, pServerInfo->pHostName );

if( sslStatus != 1 )
if( pOpensslCredentials->disableHostnameCheck == 0U )
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would prefer that we add a separate connect() function which takes a sockaddr_in rather than a hostname.

This would encourage the use of SNI whenever possible.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But I think just checking for pOpensslCredentials->sniHostName != NULL should be sufficient here.

paulbartell
paulbartell reviewed Oct 31, 2022
View reviewed changes
platform/posix/transport/include/openssl_posix.h
@@ -118,6 +118,11 @@ typedef struct OpensslCredentials
*/
const char * sniHostName;

/**
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sniHostName == NULL should result in SNI being disabled rather than an explicit disableHostnameCheck.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@paulbartell paulbartell paulbartell left review comments

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@archigup @paulbartell