aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rwxr-xr-xgmi.pl31
1 files changed, 10 insertions, 21 deletions
diff --git a/gmi.pl b/gmi.pl
index 194ac6b..270fa3d 100755
--- a/gmi.pl
+++ b/gmi.pl
@@ -10,7 +10,7 @@ use warnings;
use feature qw(refaliasing);
no warnings qw(experimental::refaliasing);
-our $VERSION = 'v0.0.30';
+our $VERSION = 'v0.0.31';
# TODO:
# back() only works once; should fix this
@@ -298,47 +298,36 @@ sub url {
}
sub peer_cert {
- ### peer_cert
+ # ## peer_cert
# 1. compare figureprint if possible
# 2. is it expired?
# 3. if error: ask user for imput
my ($cl, $hostname) = @_;
- ### before CERT_asHash
+ # ## before CERT_asHash
my @peer_certs = $cl->peer_certificates;
#print $OUT Dumper(\@peer_certs);
#
# if the server sends us more than ONE cert then I am baffled as to why but it happens
my $peer_cert = CERT_asHash($peer_certs[0]);
- ### IO Socket SSL Utils already has done fingerprinting so we do not need to.
+ # ## IO Socket SSL Utils already has done fingerprinting so we do not need to.
my $peer_fingerprint = $peer_cert->{fingerprint_sha256};
my $peer_not_before = $peer_cert->{not_before};
my $peer_not_after = $peer_cert->{not_after};
my $peer_commonName = $peer_cert->{subject}->{commonName};
my $peer_subjectAltNames = $peer_cert->{subjectAltNames};
+ my $verify_hostname = $cl->verify_hostname($hostname);
### $peer_cert
### $peer_fingerprint
### $peer_not_before
### $peer_not_after
### $peer_commonName
### $peer_subjectAltNames
+ ### $verify_hostname
- if ($hostname ne $peer_commonName) {
- ### hostname is not commonName
- my $counter = 0;
- my $subjectAltName = 0;
- for (@$peer_subjectAltNames) {
- if ($peer_subjectAltNames->[$counter][0] eq 'DNS') {
- if (lc $peer_subjectAltNames->[$counter][1] eq lc $hostname) {
- ### Good subjectAltName
- $subjectAltName = 1;
- }
- }
- $counter++;
- }
- if (! $subjectAltName) {
- print $OUT "The server offers a cert that doesn't match their domain name.\n";
- return 0;
- }
+
+ if (! $verify_hostname) {
+ print $OUT "The server offers a cert that doesn't match their domain name.\n";
+ return 0;
}
# compare figureprint...