Oh, really?! Now, just after submission, I notice a bug?! Man. Egg on my face.
Looking at the patch it suddenly occurred to me that if it is compiled against
an ancient OpenSSL so the code in the #ifndef OPENSSL_1_1_0 actually does
something, then if this comparison
> else if ((s = strstr (cert->name,"/CN=")) != NIL) {
is false, we now /accept/ the certificate because I removed the check! The
easiest fix is to have the check duplicated instead of moved. So this part of
the diff:
> - if (ret == NIL && s == NIL)
> - ret = "Unable to locate common name in certificate";
> -
at the end should be dropped. For modern SSL's, this check is redundant, never
matching, and already performed earlier.
Another possibility would be to move the whole shenanigans starting at
> if (ext = X509_get_ext_d2i (cert,NID_subject_alt_name,NIL,NIL))
and ending at
> if(ext) GENERAL_NAMES_free(ext);
out of this if:
> if(m == 0 || ret != NIL){
I'm pretty sure part of me actually thought I had done that and therefore I
didn't notice the issue.
