Do not permit multi-component wildcards on certificate names (OpenSSL, EXPERIMENTAL_C...

[exim.git] / src / src / tls-openssl.c

diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index fe1b208ac5b2e4d708b913e2f466e11733ad0450..63bf83b1dddc125ab5e03cea5c35c80676b66ea0 100644 (file)
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -369,6 +369,9 @@ else
 # if EXIM_HAVE_OPENSSL_CHECKHOST
 #  ifndef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
 #   define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0
+#  endif
+#  ifndef X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
+#   define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0
 #  endif
     {
     int sep = 0;
@@ -377,7 +380,8 @@ else
     int rc;
     while ((name = string_nextinlist(&list, &sep, NULL, 0)))
       if ((rc = X509_check_host(cert, name, 0,
-                 X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS)))
+                 X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
+                 | X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS)))
        {
        if (rc < 0)
          {