andreacavalli/netty5
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Only try to call SSL.setHostnameValidation(...) if needed. (#8074)

Browse Source 
Motivation:

As the used OpenSSL version may not support hostname validation we should only really call SSL.setHostNameValidation(...) if we detect that its needed.

Modifications:

Only call SSL.setHostNameValidation if it was disabled before and now it needs to be enabled or if it was enabled before and it should be disabled now.

Result:

Less risk of an exception when using an OpenSSL version that does not support hostname validation.
This commit is contained in:
Norman Maurer 2018-06-28 11:07:13 +02:00 committed by GitHub
parent 9bf74a6809
commit ecc238bea5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 18 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslEngine.java
View File

@ -1783,10 +1783,20 @@ public class ReferenceCountedOpenSslEngine extends SSLEngine implements Referenc
} }
final String endPointIdentificationAlgorithm = sslParameters.getEndpointIdentificationAlgorithm(); final String endPointIdentificationAlgorithm = sslParameters.getEndpointIdentificationAlgorithm();
final boolean endPointVerificationEnabled = endPointIdentificationAlgorithm != null && final boolean endPointVerificationEnabled = isEndPointVerificationEnabled(endPointIdentificationAlgorithm);
!endPointIdentificationAlgorithm.isEmpty();
SSL.setHostNameValidation(ssl, DEFAULT_HOSTNAME_VALIDATION_FLAGS, final boolean wasEndPointVerificationEnabled =
endPointVerificationEnabled ? getPeerHost() : null); isEndPointVerificationEnabled(this.endPointIdentificationAlgorithm);
if (wasEndPointVerificationEnabled && !endPointVerificationEnabled) {
// Passing in null will disable hostname verification again so only do so if it was enabled before.
SSL.setHostNameValidation(ssl, DEFAULT_HOSTNAME_VALIDATION_FLAGS, null);
} else {
String host = endPointVerificationEnabled ? getPeerHost() : null;
if (host != null && !host.isEmpty()) {
SSL.setHostNameValidation(ssl, DEFAULT_HOSTNAME_VALIDATION_FLAGS, host);
}
}
// If the user asks for hostname verification we must ensure we verify the peer. // If the user asks for hostname verification we must ensure we verify the peer.
// If the user disables hostname verification we leave it up to the user to change the mode manually. // If the user disables hostname verification we leave it up to the user to change the mode manually.
if (clientMode && endPointVerificationEnabled) { if (clientMode && endPointVerificationEnabled) {
@ -1799,6 +1809,10 @@ public class ReferenceCountedOpenSslEngine extends SSLEngine implements Referenc
super.setSSLParameters(sslParameters); super.setSSLParameters(sslParameters);
} }
private static boolean isEndPointVerificationEnabled(String endPointIdentificationAlgorithm) {
return endPointIdentificationAlgorithm != null && !endPointIdentificationAlgorithm.isEmpty();
}
private boolean isDestroyed() { private boolean isDestroyed() {
return destroyed != 0; return destroyed != 0;
} }