Refactored tls-remote checking

Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <davids@redhat.com>
2026-05-28 04:03:29 -04:00 · 2011-06-29 14:28:44 +02:00 · 2011-06-29 14:28:44 +02:00 · a4c926bb59
commit a4c926bb59
parent 587f419b71
2 changed files with 15 additions and 14 deletions
--- a/ssl.c
+++ b/ssl.c
@ -431,20 +431,6 @@ verify_cert(struct tls_session *session, x509_cert_t *cert, int cert_depth)
  if (cert_depth == 0 && verify_peer_cert(opt, cert, subject, common_name))
    goto err;

-  /* verify X509 name or common name against --tls-remote */
-  if (opt->verify_x509name && strlen (opt->verify_x509name) > 0 && cert_depth == 0)
-    {
-      if (strcmp (opt->verify_x509name, subject) == 0
-	  || strncmp (opt->verify_x509name, common_name, strlen (opt->verify_x509name)) == 0)
-	msg (D_HANDSHAKE, "VERIFY X509NAME OK: %s", subject);
-      else
-	{
-	  msg (D_HANDSHAKE, "VERIFY X509NAME ERROR: %s, must be %s",
-	       subject, opt->verify_x509name);
-	  goto err;		/* Reject connection */
-	}
-    }
-
  /* call --tls-verify plug-in(s) */
  if (plugin_defined (opt->plugins, OPENVPN_PLUGIN_TLS_VERIFY))
    {
--- a/ssl_verify.c
+++ b/ssl_verify.c
@ -382,6 +382,21 @@ verify_peer_cert(const struct tls_options *opt, x509_cert_t *peer_cert,
    }

 #endif /* OPENSSL_VERSION_NUMBER */
+
+  /* verify X509 name or common name against --tls-remote */
+  if (opt->verify_x509name && strlen (opt->verify_x509name) > 0)
+    {
+      if (strcmp (opt->verify_x509name, subject) == 0
+	  || strncmp (opt->verify_x509name, common_name, strlen (opt->verify_x509name)) == 0)
+	msg (D_HANDSHAKE, "VERIFY X509NAME OK: %s", subject);
+      else
+	{
+	  msg (D_HANDSHAKE, "VERIFY X509NAME ERROR: %s, must be %s",
+	       subject, opt->verify_x509name);
+	  return 1;		/* Reject connection */
+	}
+    }
+
  return 0;
 }