in wangle/ssl/SSLContextManager.cpp [1032:1092]
void SSLContextManager::SslContexts::insertSSLCtxByDomainNameImpl(
const std::string& dn,
shared_ptr<SSLContext> sslCtx,
CertCrypto certCrypto,
bool defaultFallback) {
const char* dn_ptr = dn.c_str();
size_t len = dn.length();
VLOG(4) << folly::stringPrintf(
"Adding CN/Subject-alternative-name \"%s\" for "
"SNI search",
dn_ptr);
// Only support wildcard domains which are prefixed exactly by "*." .
// "*" appearing at other locations is not accepted.
if (len > 2 && dn_ptr[0] == '*') {
if (dn_ptr[1] == '.') {
// skip the first '*'
dn_ptr++;
len--;
} else {
throw std::runtime_error(
"Invalid wildcard CN/subject-alternative-name \"" + dn +
"\" "
"(only allow character \".\" after \"*\"");
}
}
if (len == 1 && *dn_ptr == '.') {
throw std::runtime_error(
"X509 has only '.' in the CN or subject alternative name "
"(after removing any preceding '*')");
}
if (strchr(dn_ptr, '*')) {
throw std::runtime_error(
"X509 has '*' in the the CN or subject alternative name "
"(after removing any preceding '*')");
}
DNString dnstr(dn_ptr, len);
auto mainKey = SSLContextKey(dnstr, certCrypto);
if (defaultFallback) {
insertIntoDefaultKeys(mainKey, true);
} else {
insertIntoDnMap(mainKey, sslCtx, true);
}
if (certCrypto != CertCrypto::BEST_AVAILABLE) {
// Note: there's no partial ordering here (you either get what you request,
// or you get best available).
VLOG(6) << "Attempting insert of weak crypto SSLContext as best available.";
auto weakKey = SSLContextKey(dnstr, CertCrypto::BEST_AVAILABLE);
if (defaultFallback) {
insertIntoDefaultKeys(weakKey, false);
} else {
insertIntoDnMap(weakKey, sslCtx, false);
}
}
}