From 266874609dabec4ed5b9c2be15983c25649b271a Mon Sep 17 00:00:00 2001
From: Cameron Gutman <aicommander@gmail.com>
Date: Sat, 4 Jul 2020 20:09:06 -0500
Subject: [PATCH] Fix hostname validation for CA-issued certificates

---
 .../com/limelight/nvstream/http/NvHTTP.java   | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/app/src/main/java/com/limelight/nvstream/http/NvHTTP.java b/app/src/main/java/com/limelight/nvstream/http/NvHTTP.java
index 16beddbd..39f40738 100644
--- a/app/src/main/java/com/limelight/nvstream/http/NvHTTP.java
+++ b/app/src/main/java/com/limelight/nvstream/http/NvHTTP.java
@@ -17,6 +17,7 @@ import java.security.NoSuchAlgorithmException;
 import java.security.Principal;
 import java.security.PrivateKey;
 import java.security.SecureRandom;
+import java.security.cert.Certificate;
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
 import java.util.LinkedList;
@@ -26,9 +27,11 @@ import java.util.UUID;
 import java.util.concurrent.TimeUnit;
 
 import javax.net.ssl.HostnameVerifier;
+import javax.net.ssl.HttpsURLConnection;
 import javax.net.ssl.KeyManager;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLHandshakeException;
+import javax.net.ssl.SSLPeerUnverifiedException;
 import javax.net.ssl.SSLSession;
 import javax.net.ssl.TrustManager;
 import javax.net.ssl.TrustManagerFactory;
@@ -147,9 +150,21 @@ public class NvHTTP {
             public String[] getServerAliases(String keyType, Principal[] issuers) { return null; }
         };
 
-        // Ignore differences between given hostname and certificate hostname
         HostnameVerifier hv = new HostnameVerifier() {
-            public boolean verify(String hostname, SSLSession session) { return true; }
+            public boolean verify(String hostname, SSLSession session) {
+                try {
+                    Certificate[] certificates = session.getPeerCertificates();
+                    if (certificates.length == 1 && certificates[0].equals(serverCert)) {
+                        // Allow any hostname if it's our pinned cert
+                        return true;
+                    }
+                } catch (SSLPeerUnverifiedException e) {
+                    e.printStackTrace();
+                }
+
+                // Fall back to default HostnameVerifier for validating CA-issued certs
+                return HttpsURLConnection.getDefaultHostnameVerifier().verify(hostname, session);
+            }
         };
 
         httpClient = new OkHttpClient.Builder()