diff options
| author | Nalin Dahyabhai <nalin@dahyabhai.net> | 2014-04-17 17:19:03 -0400 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2014-06-02 18:38:54 -0400 |
| commit | f7825e81b1ebf533c1dba9f84ae9ad36073a89cf (patch) | |
| tree | fa7b9e2995e1923fac2b7788fbcc1d989fd761be /src/include | |
| parent | f220067c2969aab107bd1300ad1cb8d4855389a7 (diff) | |
| download | krb5-f7825e81b1ebf533c1dba9f84ae9ad36073a89cf.zip krb5-f7825e81b1ebf533c1dba9f84ae9ad36073a89cf.tar.gz krb5-f7825e81b1ebf533c1dba9f84ae9ad36073a89cf.tar.bz2 | |
Check names in the server's cert when using KKDCP
When we connect to a KDC using an HTTPS proxy, check that the naming
information in the certificate matches the name or address which we
extracted from the server URL in the configuration.
ticket: 7929
Diffstat (limited to 'src/include')
| -rw-r--r-- | src/include/k5-trace.h | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/src/include/k5-trace.h b/src/include/k5-trace.h index 046bc95..9e75b29 100644 --- a/src/include/k5-trace.h +++ b/src/include/k5-trace.h @@ -324,6 +324,11 @@ void krb5int_trace(krb5_context context, const char *fmt, ...); TRACE(c, "Resolving hostname {str}", hostname) #define TRACE_SENDTO_KDC_RESPONSE(c, len, raddr) \ TRACE(c, "Received answer ({int} bytes) from {raddr}", len, raddr) +#define TRACE_SENDTO_KDC_HTTPS_SERVER_NAME_MISMATCH(c, hostname) \ + TRACE(c, "HTTPS certificate name mismatch: server certificate is " \ + "not for \"{str}\"", hostname) +#define TRACE_SENDTO_KDC_HTTPS_SERVER_NAME_MATCH(c, hostname) \ + TRACE(c, "HTTPS certificate name matched \"{str}\"", hostname) #define TRACE_SENDTO_KDC_HTTPS_NO_REMOTE_CERTIFICATE(c) \ TRACE(c, "HTTPS server certificate not received") #define TRACE_SENDTO_KDC_HTTPS_PROXY_CERTIFICATE_ERROR(c, depth, \ |