mirror of
https://github.com/moparisthebest/curl
synced 2024-08-13 17:03:50 -04:00
axtls: honor disabled VERIFYHOST
When VERIFYHOST == 0, libcurl should let invalid certificates to pass.
This commit is contained in:
parent
c53fb36b0c
commit
a4decb49a6
28
lib/axtls.c
28
lib/axtls.c
@ -341,22 +341,30 @@ Curl_axtls_connect(struct connectdata *conn,
|
|||||||
|
|
||||||
/* RFC2818 checks */
|
/* RFC2818 checks */
|
||||||
if(found_subject_alt_names && !found_subject_alt_name_matching_conn) {
|
if(found_subject_alt_names && !found_subject_alt_name_matching_conn) {
|
||||||
/* Break connection ! */
|
if(data->set.ssl.verifyhost) {
|
||||||
Curl_axtls_close(conn, sockindex);
|
/* Break connection ! */
|
||||||
free_ssl_structs(ssl_ctx, ssl);
|
Curl_axtls_close(conn, sockindex);
|
||||||
failf(data, "\tsubjectAltName(s) do not match %s\n", conn->host.dispname);
|
free_ssl_structs(ssl_ctx, ssl);
|
||||||
return CURLE_PEER_FAILED_VERIFICATION;
|
failf(data, "\tsubjectAltName(s) do not match %s\n",
|
||||||
|
conn->host.dispname);
|
||||||
|
return CURLE_PEER_FAILED_VERIFICATION;
|
||||||
|
}
|
||||||
|
else
|
||||||
|
infof(data, "\tsubjectAltName(s) do not match %s\n",
|
||||||
}
|
}
|
||||||
else if(found_subject_alt_names == 0) {
|
else if(found_subject_alt_names == 0) {
|
||||||
/* Per RFC2818, when no Subject Alt Names were available, examine the peer
|
/* Per RFC2818, when no Subject Alt Names were available, examine the peer
|
||||||
CN as a legacy fallback */
|
CN as a legacy fallback */
|
||||||
peer_CN = ssl_get_cert_dn(ssl, SSL_X509_CERT_COMMON_NAME);
|
peer_CN = ssl_get_cert_dn(ssl, SSL_X509_CERT_COMMON_NAME);
|
||||||
if(peer_CN == NULL) {
|
if(peer_CN == NULL) {
|
||||||
/* Similar behaviour to the OpenSSL interface */
|
if(data->set.ssl.verifyhost) {
|
||||||
Curl_axtls_close(conn, sockindex);
|
Curl_axtls_close(conn, sockindex);
|
||||||
free_ssl_structs(ssl_ctx, ssl);
|
free_ssl_structs(ssl_ctx, ssl);
|
||||||
failf(data, "unable to obtain common name from peer certificate");
|
failf(data, "unable to obtain common name from peer certificate");
|
||||||
return CURLE_PEER_FAILED_VERIFICATION;
|
return CURLE_PEER_FAILED_VERIFICATION;
|
||||||
|
}
|
||||||
|
else
|
||||||
|
infof(data, "unable to obtain common name from peer certificate");
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
if(!Curl_cert_hostcheck((const char *)peer_CN, conn->host.name)) {
|
if(!Curl_cert_hostcheck((const char *)peer_CN, conn->host.name)) {
|
||||||
|
Loading…
Reference in New Issue
Block a user