Verify certificate name

This commit is contained in:
Jakob Borg 2014-07-30 07:59:22 +02:00
parent 4ff6cd9105
commit ea4524024a
2 changed files with 23 additions and 1 deletions

View File

@ -633,7 +633,8 @@ next:
conn.Close()
continue
}
remoteID := protocol.NewNodeID(certs[0].Raw)
remoteCert := certs[0]
remoteID := protocol.NewNodeID(remoteCert.Raw)
if remoteID == myID {
l.Infof("Connected to myself (%s) - should not happen", remoteID)
@ -649,10 +650,30 @@ next:
for _, nodeCfg := range cfg.Nodes {
if nodeCfg.NodeID == remoteID {
// Verify the name on the certificate. By default we set it to
// "syncthing" when generating, but the user may have replaced
// the certificate and used another name.
certName := nodeCfg.CertName
if certName == "" {
certName = "syncthing"
}
err := remoteCert.VerifyHostname(certName)
if err != nil {
// Incorrect certificate name is something the user most
// likely wants to know about, since it's an advanced
// config. Warn instead of Info.
l.Warnf("Bad certificate from %s (%v): %v", remoteID, conn.RemoteAddr(), err)
conn.Close()
continue next
}
// If rate limiting is set, we wrap the write side of the
// connection in a limiter.
var wr io.Writer = conn
if rateBucket != nil {
wr = &limitedWriter{conn, rateBucket}
}
name := fmt.Sprintf("%s-%s", conn.LocalAddr(), conn.RemoteAddr())
protoConn := protocol.NewConnection(remoteID, conn, wr, m, name, nodeCfg.Compression)

View File

@ -97,6 +97,7 @@ type NodeConfiguration struct {
Name string `xml:"name,attr,omitempty"`
Addresses []string `xml:"address,omitempty"`
Compression bool `xml:"compression,attr"`
CertName string `xml:"certName,attr,omitempty"`
}
type OptionsConfiguration struct {