Skip to content

Commit fb21fa2

Browse files
bsergeanclaude
andauthored
Fix OpenSSL cert validation when host is an IP address (#581) (#588)
X509_VERIFY_PARAM_set1_host only validates the certificate against dNSName / CN SAN entries, so connecting to a host given as a literal IPv4 or IPv6 address (e.g. wss://127.0.0.1/) always failed hostname verification even when the certificate carried a matching iPAddress SAN. Detect IP literals with inet_pton and validate them against the iPAddress SANs via X509_VERIFY_PARAM_set1_ip_asc instead, falling back to set1_host for DNS names. Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
1 parent 8cbbed6 commit fb21fa2

1 file changed

Lines changed: 16 additions & 1 deletion

File tree

ixwebsocket/IXSocketOpenSSL.cpp

Lines changed: 16 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,7 @@
99

1010
#include "IXSocketOpenSSL.h"
1111

12+
#include "IXNetSystem.h"
1213
#include "IXSocketConnect.h"
1314
#include "IXUniquePtr.h"
1415
#include <cassert>
@@ -768,7 +769,21 @@ namespace ix
768769
if (!_tlsOptions.disable_hostname_validation)
769770
{
770771
X509_VERIFY_PARAM* param = SSL_get0_param(_ssl_connection);
771-
X509_VERIFY_PARAM_set1_host(param, host.c_str(), host.size());
772+
773+
// When the host is an IP address (literal IPv4 or IPv6), it must be
774+
// validated against the certificate's iPAddress SAN entries rather
775+
// than the dNSName ones. X509_VERIFY_PARAM_set1_host only checks
776+
// dNSName / CN, so it would always fail for IP literals.
777+
struct in6_addr addr;
778+
if (ix::inet_pton(AF_INET, host.c_str(), &addr) == 1 ||
779+
ix::inet_pton(AF_INET6, host.c_str(), &addr) == 1)
780+
{
781+
X509_VERIFY_PARAM_set1_ip_asc(param, host.c_str());
782+
}
783+
else
784+
{
785+
X509_VERIFY_PARAM_set1_host(param, host.c_str(), host.size());
786+
}
772787
}
773788
#endif
774789
handshakeSuccessful = openSSLClientHandshake(host, errMsg, isCancellationRequested);

0 commit comments

Comments
 (0)