diff --git a/src/LibgnutlsTLSSession.cc b/src/LibgnutlsTLSSession.cc index b59342c8..386819a2 100644 --- a/src/LibgnutlsTLSSession.cc +++ b/src/LibgnutlsTLSSession.cc @@ -313,6 +313,17 @@ int GnuTLSSession::tlsConnect(const std::string& hostname, TLSVersion& version, ret = gnutls_x509_crt_get_subject_alt_name(cert, i, altName, &altNameLen, nullptr); if (ret == GNUTLS_SAN_DNSNAME) { + if (altNameLen == 0) { + continue; + } + + if (altName[altNameLen - 1] == '.') { + --altNameLen; + if (altNameLen == 0) { + continue; + } + } + dnsNames.push_back(std::string(altName, altNameLen)); } else if (ret == GNUTLS_SAN_IPADDRESS) { @@ -323,7 +334,14 @@ int GnuTLSSession::tlsConnect(const std::string& hostname, TLSVersion& version, ret = gnutls_x509_crt_get_dn_by_oid(cert, GNUTLS_OID_X520_COMMON_NAME, 0, 0, altName, &altNameLen); if (ret == 0) { - commonName.assign(altName, altNameLen); + if (altNameLen > 0) { + if (altName[altNameLen - 1] == '.') { + --altNameLen; + if (altNameLen > 0) { + commonName.assign(altName, altNameLen); + } + } + } } if (!net::verifyHostname(hostname, dnsNames, ipAddrs, commonName)) { handshakeErr = "hostname does not match"; diff --git a/src/LibsslTLSSession.cc b/src/LibsslTLSSession.cc index 16d1bf56..1014c3ca 100644 --- a/src/LibsslTLSSession.cc +++ b/src/LibsslTLSSession.cc @@ -259,6 +259,15 @@ int OpenSSLTLSSession::tlsConnect(const std::string& hostname, continue; } size_t len = ASN1_STRING_length(altName->d.ia5); + if (len == 0) { + continue; + } + if (name[len - 1] == '.') { + --len; + if (len == 0) { + continue; + } + } dnsNames.push_back(std::string(name, len)); } else if (altName->type == GEN_IPADD) { @@ -290,6 +299,17 @@ int OpenSSLTLSSession::tlsConnect(const std::string& hostname, if (outlen < 0) { continue; } + if (outlen == 0) { + OPENSSL_free(out); + continue; + } + if (out[outlen - 1] == '.') { + --outlen; + if (outlen == 0) { + OPENSSL_free(out); + continue; + } + } commonName.assign(&out[0], &out[outlen]); OPENSSL_free(out); break;