From edb8e44b5a12776a6b5ce4bb5316e4c8acdd858a Mon Sep 17 00:00:00 2001
From: Roland Reichwein <mail@reichwein.it>
Date: Sat, 7 Jan 2023 12:09:14 +0100
Subject: Fix TLS certificate verification

---
 https.cpp | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

(limited to 'https.cpp')

diff --git a/https.cpp b/https.cpp
index 10f76e0..523acb5 100644
--- a/https.cpp
+++ b/https.cpp
@@ -476,7 +476,7 @@ void load_server_certificate(boost::asio::ssl::context& ctx, const fs::path& cer
         The certificate was generated from CMD.EXE on Windows 10 using:
 
         winpty openssl dhparam -out dh.pem 2048
-        winpty openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 10000 -out cert.pem -subj "//C=US\ST=CA\L=Los Angeles\O=Beast\CN=www.example.com"
+        winpty openssl req -newkey rsa:4096 -sha256 -nodes -keyout key.pem -x509 -days 10000 -out cert.pem -subj "//C=DE\ST=BY\L=Munich\O=Reichwein\CN=reichwein.it"
     */
 
     std::string const dh =
@@ -531,7 +531,7 @@ void load_server_certificate(boost::asio::ssl::context& ctx, const fs::path& cer
 
     std::string key;
     if (key_path == "") {
-     // generate dummy self signed certificate. Will be replaced by real
+     // use dummy self signed key. Will be replaced by real
      // certificate if configured upon respective session
      key =
       "-----BEGIN PRIVATE KEY-----\n"
@@ -581,6 +581,15 @@ int ServerNameError(SSL *s, HTTPS::Server::ctx_type& ctx_map)
  return SSL_CLIENT_HELLO_SUCCESS; // OK for now
 }
 
+std::string unbracketed(const std::string& s)
+{
+ if (s.size() >= 2 && s.front() == '[' && s.back() == ']') {
+  return s.substr(1, s.size() - 2);
+ } else {
+  return s;
+ }
+}
+
 int servername_callback(SSL *s, int *al, void *arg)
 {
  HTTPS::Server::ctx_type& ctx_map = *(HTTPS::Server::ctx_type*)arg;
@@ -618,6 +627,8 @@ int servername_callback(SSL *s, int *al, void *arg)
  if (server_name.size() >= 5 && server_name[0] == '\0')
   server_name = server_name.substr(5);
 
+ server_name = unbracketed(server_name);
+
  auto it {ctx_map.find(server_name)};
  std::shared_ptr<ssl::context> ctx{};
  if (it != ctx_map.end()) {
@@ -668,7 +679,7 @@ void Server::load_certificates()
 
     for (const auto& host: site.second.hosts) {
      std::cout << "  Adding Host " << host << std::endl;
-     m_ctx.emplace(host, ctx);
+     m_ctx.emplace(unbracketed(host), ctx);
     }
    }
   }
-- 
cgit v1.2.3