From 0d814ba35b5e26eb9a42ea7a52521eca44306479 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
Date: Fri, 6 Oct 2017 18:09:37 +0300
Subject: [PATCH] libfetch: fix certificate host name check

OpenSSL allows passing zero-length to indicate "use strlen".
LibreSSL requires using the real length always, so pass the length.
---
 libfetch/common.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libfetch/common.c b/libfetch/common.c
index 278c606e..3bd8a536 100644
--- a/libfetch/common.c
+++ b/libfetch/common.c
@@ -541,7 +541,7 @@ fetch_ssl(conn_t *conn, const struct url *URL, int verbose)
 	if (getenv("SSL_NO_VERIFY_HOSTNAME") == NULL) {
 		if (verbose)
 			fetch_info("Verify hostname");
-		if (X509_check_host(conn->ssl_cert, URL->host, 0,
+		if (X509_check_host(conn->ssl_cert, URL->host, strlen(URL->host),
 				X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS,
 				NULL) != 1) {
 			fprintf(stderr, "SSL certificate subject doesn't match host %s\n",
-- 
GitLab