Stéphane Urbanovski
2009-11-23 16:33:00 UTC
Hello
It is possible to check SSL certificate by using HTTPS_CA_DIR environment var : this force the server to provide a valid certificate.
However the client does not check if the server name correspond with the certificate CN.
This patch fix this point (v1.1):
--- /lib/Ocsinventory/Agent/Network.pm.orig 2009-11-23 16:53:57.000000000 +0100
+++ /lib/Ocsinventory/Agent/Network.pm 2009-11-23 17:01:46.000000000 +0100
@@ -73,6 +73,14 @@
$req->header('Pragma' => 'no-cache', 'Content-type',
'application/x-compress');
+ # Check server name against provided SSL certificate
+ if ( $self->{URI} =~ /^https:\/\/([^\/]+).*$/ ) {
+ my $cn = $1;
+ $cn =~ s/([\-\.])/\\$1/g;
+ $req->header('If-SSL-Cert-Subject' => '/CN='.$cn);
+ $logger->debug ("Validating Cert CN=".$cn);
+ }
+
$logger->debug ("sending XML");
#############
It is possible to check SSL certificate by using HTTPS_CA_DIR environment var : this force the server to provide a valid certificate.
However the client does not check if the server name correspond with the certificate CN.
This patch fix this point (v1.1):
--- /lib/Ocsinventory/Agent/Network.pm.orig 2009-11-23 16:53:57.000000000 +0100
+++ /lib/Ocsinventory/Agent/Network.pm 2009-11-23 17:01:46.000000000 +0100
@@ -73,6 +73,14 @@
$req->header('Pragma' => 'no-cache', 'Content-type',
'application/x-compress');
+ # Check server name against provided SSL certificate
+ if ( $self->{URI} =~ /^https:\/\/([^\/]+).*$/ ) {
+ my $cn = $1;
+ $cn =~ s/([\-\.])/\\$1/g;
+ $req->header('If-SSL-Cert-Subject' => '/CN='.$cn);
+ $logger->debug ("Validating Cert CN=".$cn);
+ }
+
$logger->debug ("sending XML");
#############
--
Stéphane Urbanovski
Stéphane Urbanovski