From a4decb49a6942dd5c958c08aabb107ad47785574 Mon Sep 17 00:00:00 2001 From: Aleksey Tulinov Date: Sat, 8 Jun 2013 00:20:38 +0200 Subject: [PATCH] axtls: honor disabled VERIFYHOST When VERIFYHOST == 0, libcurl should let invalid certificates to pass. --- lib/axtls.c | 28 ++++++++++++++++++---------- 1 file changed, 18 insertions(+), 10 deletions(-) diff --git a/lib/axtls.c b/lib/axtls.c index 59c8a835e..21806403b 100644 --- a/lib/axtls.c +++ b/lib/axtls.c @@ -341,22 +341,30 @@ Curl_axtls_connect(struct connectdata *conn, /* RFC2818 checks */ if(found_subject_alt_names && !found_subject_alt_name_matching_conn) { - /* Break connection ! */ - Curl_axtls_close(conn, sockindex); - free_ssl_structs(ssl_ctx, ssl); - failf(data, "\tsubjectAltName(s) do not match %s\n", conn->host.dispname); - return CURLE_PEER_FAILED_VERIFICATION; + if(data->set.ssl.verifyhost) { + /* Break connection ! */ + Curl_axtls_close(conn, sockindex); + free_ssl_structs(ssl_ctx, ssl); + failf(data, "\tsubjectAltName(s) do not match %s\n", + conn->host.dispname); + return CURLE_PEER_FAILED_VERIFICATION; + } + else + infof(data, "\tsubjectAltName(s) do not match %s\n", } else if(found_subject_alt_names == 0) { /* Per RFC2818, when no Subject Alt Names were available, examine the peer CN as a legacy fallback */ peer_CN = ssl_get_cert_dn(ssl, SSL_X509_CERT_COMMON_NAME); if(peer_CN == NULL) { - /* Similar behaviour to the OpenSSL interface */ - Curl_axtls_close(conn, sockindex); - free_ssl_structs(ssl_ctx, ssl); - failf(data, "unable to obtain common name from peer certificate"); - return CURLE_PEER_FAILED_VERIFICATION; + if(data->set.ssl.verifyhost) { + Curl_axtls_close(conn, sockindex); + free_ssl_structs(ssl_ctx, ssl); + failf(data, "unable to obtain common name from peer certificate"); + return CURLE_PEER_FAILED_VERIFICATION; + } + else + infof(data, "unable to obtain common name from peer certificate"); } else { if(!Curl_cert_hostcheck((const char *)peer_CN, conn->host.name)) {