nghttpx: Use --backend-tls-sni-field to verify certificate hostname

9b18e476 · Tatsuhiro Tsujikawa · aecddc2c · 9b18e476
Commit 9b18e476 authored Nov 08, 2015 by Tatsuhiro Tsujikawa
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 1 deletion

src/shrpx_ssl.cc src/shrpx_ssl.cc +4 -1

No files found.
--- a/src/shrpx_ssl.cc
+++ b/src/shrpx_ssl.cc
@@ -930,7 +930,10 @@ int check_cert(SSL *ssl, const DownstreamAddr *addr) {
  std::vector<std::string> dns_names;
  std::vector<std::string> ip_addrs;
  get_altnames(cert, dns_names, ip_addrs, common_name);
-  if (verify_hostname(addr->host.get(), &addr->addr, dns_names, ip_addrs,
+  auto hostname = get_config()->backend_tls_sni_name
+                      ? get_config()->backend_tls_sni_name.get()
+                      : addr->host.get();
+  if (verify_hostname(hostname, &addr->addr, dns_names, ip_addrs,
                      common_name) != 0) {
    LOG(ERROR) << "Certificate verification failed: hostname does not match";
    return -1;