From 133a84309cce4f495af096c485c4c75cb1dd0ad2 Mon Sep 17 00:00:00 2001
From: Amarinder Cheema <mailbox@amarinder.ca>
Date: Mon, 17 Jun 2024 07:42:02 -0700
Subject: [PATCH] Fix TLS cert hostname validation fails when connecting over a
 forwarding proxy

Fixes issue described in https://github.com/duosecurity/duo_openvpn_as/issues/26
---
 duo_openvpn_as.py | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/duo_openvpn_as.py b/duo_openvpn_as.py
index 36e01e8..6ee0b46 100644
--- a/duo_openvpn_as.py
+++ b/duo_openvpn_as.py
@@ -512,7 +512,7 @@ def connect(self):
     sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
     sock.connect((self.host, self.port))
     self.sock = sock
-    if self._tunnel_host:
+    if getattr(self, '_tunnel_host', None):
       self._tunnel()
 
     context = ssl.create_default_context()
@@ -524,12 +524,13 @@ def connect(self):
     ssl_version_blacklist = ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3
     context.options = self.cert_reqs | ssl_version_blacklist
 
-    self.sock = context.wrap_socket(self.sock, server_hostname=self.host)
+    api_host = self._tunnel_host or self.host
+    hostname = api_host.split(':', 0)[0]
+
+    self.sock = context.wrap_socket(self.sock, server_hostname=hostname)
 
     if self.cert_reqs & ssl.CERT_REQUIRED:
       cert = self.sock.getpeercert()
-      cert_validation_host = self._tunnel_host or self.host
-      hostname = cert_validation_host.split(':', 0)[0]
       if not self._ValidateCertificateHostname(cert, hostname):
         raise InvalidCertificateException(hostname, cert, 'hostname mismatch')