diff options
author | Daniel Stenberg <daniel@haxx.se> | 2018-12-19 08:46:39 +0100 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2018-12-20 11:00:34 +0100 |
commit | 0b9fadf81fae1adaefa925c49c8655bc40971168 (patch) | |
tree | 9fb708db069df5653c007d1705d898cf5ee4ed2a | |
parent | ea2fed5d5eaf29fb7c4350654fcb4f3ca9b62ec8 (diff) | |
download | curl-0b9fadf81fae1adaefa925c49c8655bc40971168.tar.gz |
mbedtls: follow-up VERIFYHOST fix from f097669248
Fix-by: Eric Rosenquist
Fixes #3376
Closes #3390
-rw-r--r-- | lib/vtls/mbedtls.c | 18 |
1 files changed, 9 insertions, 9 deletions
diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c index ec1c13d95..88256a861 100644 --- a/lib/vtls/mbedtls.c +++ b/lib/vtls/mbedtls.c @@ -574,25 +574,25 @@ mbed_connect_step2(struct connectdata *conn, ret = mbedtls_ssl_get_verify_result(&BACKEND->ssl); + if(!SSL_CONN_CONFIG(verifyhost)) + /* Ignore hostname errors if verifyhost is disabled */ + ret &= ~MBEDTLS_X509_BADCERT_CN_MISMATCH; + if(ret && SSL_CONN_CONFIG(verifypeer)) { if(ret & MBEDTLS_X509_BADCERT_EXPIRED) failf(data, "Cert verify failed: BADCERT_EXPIRED"); - if(ret & MBEDTLS_X509_BADCERT_REVOKED) { + else if(ret & MBEDTLS_X509_BADCERT_REVOKED) failf(data, "Cert verify failed: BADCERT_REVOKED"); - return CURLE_PEER_FAILED_VERIFICATION; - } - if(ret & MBEDTLS_X509_BADCERT_NOT_TRUSTED) + else if(ret & MBEDTLS_X509_BADCERT_CN_MISMATCH) + failf(data, "Cert verify failed: BADCERT_CN_MISMATCH"); + + else if(ret & MBEDTLS_X509_BADCERT_NOT_TRUSTED) failf(data, "Cert verify failed: BADCERT_NOT_TRUSTED"); return CURLE_PEER_FAILED_VERIFICATION; } - if(ret && SSL_CONN_CONFIG(verifyhost)) { - if(ret & MBEDTLS_X509_BADCERT_CN_MISMATCH) - failf(data, "Cert verify failed: BADCERT_CN_MISMATCH"); - return CURLE_PEER_FAILED_VERIFICATION; - } peercert = mbedtls_ssl_get_peer_cert(&BACKEND->ssl); |