Allow disabling of server cert hostname check

aws · Oct 6, 2022 · dff1232 · dff1232
1 parent cd1b87b
commit dff1232
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 5 deletions.
diff --git a/platform/posix/transport/include/openssl_posix.h b/platform/posix/transport/include/openssl_posix.h
@@ -118,6 +118,11 @@ typedef struct OpensslCredentials
      */
     const char * sniHostName;
 
+    /**
+     * @brief If non-zero, don't compare hostname to server certificate subject.
+     */
+    uint8_t disableHostnameCheck;
+
     /**
      * @brief Set the value for the TLS max fragment length (TLS MFLN)
      *

diff --git a/platform/posix/transport/src/openssl_posix.c b/platform/posix/transport/src/openssl_posix.c
@@ -244,12 +244,15 @@ static OpensslStatus_t tlsHandshake( const ServerInfo_t * pServerInfo,
     int32_t sslStatus = -1;
 
     /* Validate the hostname against the server's certificate. */
-    sslStatus = SSL_set1_host( pOpensslParams->pSsl, pServerInfo->pHostName );
-
-    if( sslStatus != 1 )
+    if( pOpensslCredentials->disableHostnameCheck == 0U )
     {
-        LogError( ( "SSL_set1_host failed to set the hostname to validate." ) );
-        returnStatus = OPENSSL_API_ERROR;
+        sslStatus = SSL_set1_host( pOpensslParams->pSsl, pServerInfo->pHostName );
+
+        if( sslStatus != 1 )
+        {
+            LogError( ( "SSL_set1_host failed to set the hostname to validate." ) );
+            returnStatus = OPENSSL_API_ERROR;
+        }
     }
 
     /* Enable SSL peer verification. */