From ca9737d6d6efac7ce9aba1f9686a86b7f6863636 Mon Sep 17 00:00:00 2001 From: Roxie Linden Date: Wed, 19 May 2010 15:22:46 -0700 Subject: The certificate hostname verification was not taking into account changes in hostname due to a redirect which is handled via curl. I turned off the secapi hostname verification just allowing libcurls hostname verification, as it's better anyway (it handles alt names) --- indra/newview/llsecapi.cpp | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'indra/newview/llsecapi.cpp') diff --git a/indra/newview/llsecapi.cpp b/indra/newview/llsecapi.cpp index 89b799f297..1caeec5b04 100644 --- a/indra/newview/llsecapi.cpp +++ b/indra/newview/llsecapi.cpp @@ -121,7 +121,10 @@ int secapiSSLCertVerifyCallback(X509_STORE_CTX *ctx, void *param) validation_params[CERT_HOSTNAME] = uri.hostName(); try { - chain->validate(VALIDATION_POLICY_SSL, store, validation_params); + // we rely on libcurl to validate the hostname, as libcurl does more extensive validation + // leaving our hostname validation call mechanism for future additions with respect to + // OS native (Mac keyring, windows CAPI) validation. + chain->validate(VALIDATION_POLICY_SSL & (~VALIDATION_POLICY_HOSTNAME), store, validation_params); } catch (LLCertValidationTrustException& cert_exception) { -- cgit v1.2.3