Add option to disable hostname check (#399)

* Suppress compiler warnings about unused elements.

* Enable CMake's compilation database.

* Add TLS option to disable checking a certificate's host name.

* Add `--disable-hostname-validation` to `ws`.

* Add test for disabling hostname validation.

ixwebsocket/IXSocketAppleSSL.cpp

@@ -205,7 +205,9 @@ namespace ix
                 _sslContext, SocketAppleSSL::readFromSocket, SocketAppleSSL::writeToSocket);
             SSLSetConnection(_sslContext, (SSLConnectionRef)(long) _sockfd);
             SSLSetProtocolVersionMin(_sslContext, kTLSProtocol12);
-            SSLSetPeerDomainName(_sslContext, host.c_str(), host.size());
+
+            if (!_tlsOptions.disable_hostname_validation)
+                SSLSetPeerDomainName(_sslContext, host.c_str(), host.size());
 
             if (_tlsOptions.isPeerVerifyDisabled())
             {

ixwebsocket/IXSocketMbedTLS.cpp

@@ -48,7 +48,7 @@ namespace ix
         mbedtls_pk_init(&_pkey);
     }
 
-    bool SocketMbedTLS::loadSystemCertificates(std::string& errorMsg)
+    bool SocketMbedTLS::loadSystemCertificates(std::string& /* errorMsg */)
     {
 #ifdef _WIN32
         DWORD flags = CERT_STORE_READONLY_FLAG | CERT_STORE_OPEN_EXISTING_FLAG |
@@ -195,10 +195,13 @@ namespace ix
             return false;
         }
 
-        if (!host.empty() && mbedtls_ssl_set_hostname(&_ssl, host.c_str()) != 0)
+        if (!_tlsOptions.disable_hostname_validation)
         {
-            errMsg = "SNI setup failed";
-            return false;
+            if (!host.empty() && mbedtls_ssl_set_hostname(&_ssl, host.c_str()) != 0)
+            {
+                errMsg = "SNI setup failed";
+                return false;
+            }
         }
 
         return true;

ixwebsocket/IXSocketOpenSSL.cpp

@@ -301,7 +301,11 @@ namespace ix
     }
 
     bool SocketOpenSSL::openSSLCheckServerCert(SSL* ssl,
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
                                                const std::string& hostname,
+#else
+                                               const std::string& /* hostname */,
+#endif
                                                std::string& errMsg)
     {
         X509* server_cert = SSL_get_peer_certificate(ssl);
@@ -390,6 +394,11 @@ namespace ix
             int connect_result = SSL_connect(_ssl_connection);
             if (connect_result == 1)
             {
+                if (_tlsOptions.disable_hostname_validation)
+                {
+                    return true;
+                }
+
                 return openSSLCheckServerCert(_ssl_connection, host, errMsg);
             }
             int reason = SSL_get_error(_ssl_connection, connect_result);
@@ -754,8 +763,11 @@ namespace ix
             // (The docs say that this should work from 1.0.2, and is the default from
             // 1.1.0, but it does not. To be on the safe side, the manual test
             // below is enabled for all versions prior to 1.1.0.)
-            X509_VERIFY_PARAM* param = SSL_get0_param(_ssl_connection);
-            X509_VERIFY_PARAM_set1_host(param, host.c_str(), host.size());
+            if (!_tlsOptions.disable_hostname_validation)
+            {
+                X509_VERIFY_PARAM* param = SSL_get0_param(_ssl_connection);
+                X509_VERIFY_PARAM_set1_host(param, host.c_str(), host.size());
+            }
 #endif
             handshakeSuccessful = openSSLClientHandshake(host, errMsg, isCancellationRequested);
         }

ixwebsocket/IXSocketTLSOptions.h

@@ -33,6 +33,9 @@ namespace ix
         // whether tls is enabled, used for server code
         bool tls = false;
 
+        // whether to skip validating the peer's hostname against the certificate presented
+        bool disable_hostname_validation = false;
+
         bool hasCertAndKey() const;
 
         bool isUsingSystemDefaults() const;