diff options
| author | Aleksey Tulinov <aleksey.tulinov@gmail.com> | 2013-06-08 00:20:38 +0200 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2013-06-08 00:23:05 +0200 |
| commit | a4decb49a6942dd5c958c08aabb107ad47785574 (patch) | |
| tree | 0c7bd9e862f64daf2026131b62226b40b2ff7c12 | |
| parent | c53fb36b0ce708c9418bdd9b44075f76f821dfcc (diff) | |
| download | gnurl-a4decb49a6942dd5c958c08aabb107ad47785574.tar.gz gnurl-a4decb49a6942dd5c958c08aabb107ad47785574.tar.bz2 gnurl-a4decb49a6942dd5c958c08aabb107ad47785574.zip | |
axtls: honor disabled VERIFYHOST
When VERIFYHOST == 0, libcurl should let invalid certificates to pass.
| -rw-r--r-- | lib/axtls.c | 28 |
1 files changed, 18 insertions, 10 deletions
diff --git a/lib/axtls.c b/lib/axtls.c index 59c8a835e..21806403b 100644 --- a/lib/axtls.c +++ b/lib/axtls.c @@ -341,22 +341,30 @@ Curl_axtls_connect(struct connectdata *conn, /* RFC2818 checks */ if(found_subject_alt_names && !found_subject_alt_name_matching_conn) { - /* Break connection ! */ - Curl_axtls_close(conn, sockindex); - free_ssl_structs(ssl_ctx, ssl); - failf(data, "\tsubjectAltName(s) do not match %s\n", conn->host.dispname); - return CURLE_PEER_FAILED_VERIFICATION; + if(data->set.ssl.verifyhost) { + /* Break connection ! */ + Curl_axtls_close(conn, sockindex); + free_ssl_structs(ssl_ctx, ssl); + failf(data, "\tsubjectAltName(s) do not match %s\n", + conn->host.dispname); + return CURLE_PEER_FAILED_VERIFICATION; + } + else + infof(data, "\tsubjectAltName(s) do not match %s\n", } else if(found_subject_alt_names == 0) { /* Per RFC2818, when no Subject Alt Names were available, examine the peer CN as a legacy fallback */ peer_CN = ssl_get_cert_dn(ssl, SSL_X509_CERT_COMMON_NAME); if(peer_CN == NULL) { - /* Similar behaviour to the OpenSSL interface */ - Curl_axtls_close(conn, sockindex); - free_ssl_structs(ssl_ctx, ssl); - failf(data, "unable to obtain common name from peer certificate"); - return CURLE_PEER_FAILED_VERIFICATION; + if(data->set.ssl.verifyhost) { + Curl_axtls_close(conn, sockindex); + free_ssl_structs(ssl_ctx, ssl); + failf(data, "unable to obtain common name from peer certificate"); + return CURLE_PEER_FAILED_VERIFICATION; + } + else + infof(data, "unable to obtain common name from peer certificate"); } else { if(!Curl_cert_hostcheck((const char *)peer_CN, conn->host.name)) { |