On 8/1/14 8:23 AM, Ivan Zhakov wrote:
> I think it will be more clear to write code in the following way:
> [[
> san = svn_hash_gets(serf_cert, "subjectAltName");
> /* Match server certificate CN with the hostname of the server iff
> * we didn't find any subjectAltName fields and try to match them.
> * Per RFC 2818 they are authoritative if present and CommonName
> * should be ignored. */
> if (san && san->nelts > 0) {
> int i;
> found_san_entry = ;
> for (i = 0; i < san->nelts; i++) {
> const char *s = APR_ARRAY_IDX(san, i, const char*);
> if (apr_fnmatch(s, conn->session->session_url.hostname,
> APR_FNM_PERIOD | APR_FNM_CASE_BLIND) == APR_SUCCESS)
> {
> found_matching_hostname = 1;
> break;
> }
> }
> }
> else
> {
> const char *hostname = NULL;
>
> subject = serf_ssl_cert_subject(cert, scratch_pool);
>
> if (subject)
> hostname = svn_hash_gets(subject, "CN");
>
> if (hostname
> && apr_fnmatch(hostname, conn->session->session_url.hostname,
> APR_FNM_PERIOD | APR_FNM_CASE_BLIND) ==
> APR_SUCCESS)
> {
> found_matching_hostname = 1;
> }
> }
> ]]
>
> Did I miss something important?
Agreed, committed in r1615272.
Received on 2014-08-02 02:35:15 CEST