axtls: honor disabled VERIFYHOST

When VERIFYHOST == 0, libcurl should let invalid certificates to pass.
2013-06-08 00:20:38 +02:00 · 2013-06-08 00:20:38 +02:00 · a4decb49a6
parent c53fb36b0c
commit a4decb49a6
1 changed files with 18 additions and 10 deletions
--- a/lib/axtls.c
+++ b/lib/axtls.c
@ -341,22 +341,30 @@ Curl_axtls_connect(struct connectdata *conn,

  /* RFC2818 checks */
  if(found_subject_alt_names && !found_subject_alt_name_matching_conn) {
-    /* Break connection ! */
-    Curl_axtls_close(conn, sockindex);
-    free_ssl_structs(ssl_ctx, ssl);
-    failf(data, "\tsubjectAltName(s) do not match %s\n", conn->host.dispname);
-    return CURLE_PEER_FAILED_VERIFICATION;
+    if(data->set.ssl.verifyhost) {
+      /* Break connection ! */
+      Curl_axtls_close(conn, sockindex);
+      free_ssl_structs(ssl_ctx, ssl);
+      failf(data, "\tsubjectAltName(s) do not match %s\n",
+            conn->host.dispname);
+      return CURLE_PEER_FAILED_VERIFICATION;
+    }
+    else
+      infof(data, "\tsubjectAltName(s) do not match %s\n",
  }
  else if(found_subject_alt_names == 0) {
    /* Per RFC2818, when no Subject Alt Names were available, examine the peer
       CN as a legacy fallback */
    peer_CN = ssl_get_cert_dn(ssl, SSL_X509_CERT_COMMON_NAME);
    if(peer_CN == NULL) {
-      /* Similar behaviour to the OpenSSL interface */
-      Curl_axtls_close(conn, sockindex);
-      free_ssl_structs(ssl_ctx, ssl);
-      failf(data, "unable to obtain common name from peer certificate");
-      return CURLE_PEER_FAILED_VERIFICATION;
+      if(data->set.ssl.verifyhost) {
+        Curl_axtls_close(conn, sockindex);
+        free_ssl_structs(ssl_ctx, ssl);
+        failf(data, "unable to obtain common name from peer certificate");
+        return CURLE_PEER_FAILED_VERIFICATION;
+      }
+      else
+        infof(data, "unable to obtain common name from peer certificate");
    }
    else {
      if(!Curl_cert_hostcheck((const char *)peer_CN, conn->host.name)) {