summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel Stenberg <daniel@haxx.se>2018-12-19 08:46:39 +0100
committerDaniel Stenberg <daniel@haxx.se>2018-12-20 11:00:34 +0100
commit0b9fadf81fae1adaefa925c49c8655bc40971168 (patch)
tree9fb708db069df5653c007d1705d898cf5ee4ed2a
parentea2fed5d5eaf29fb7c4350654fcb4f3ca9b62ec8 (diff)
downloadcurl-0b9fadf81fae1adaefa925c49c8655bc40971168.tar.gz
mbedtls: follow-up VERIFYHOST fix from f097669248
Fix-by: Eric Rosenquist Fixes #3376 Closes #3390
-rw-r--r--lib/vtls/mbedtls.c18
1 files changed, 9 insertions, 9 deletions
diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
index ec1c13d95..88256a861 100644
--- a/lib/vtls/mbedtls.c
+++ b/lib/vtls/mbedtls.c
@@ -574,25 +574,25 @@ mbed_connect_step2(struct connectdata *conn,
ret = mbedtls_ssl_get_verify_result(&BACKEND->ssl);
+ if(!SSL_CONN_CONFIG(verifyhost))
+ /* Ignore hostname errors if verifyhost is disabled */
+ ret &= ~MBEDTLS_X509_BADCERT_CN_MISMATCH;
+
if(ret && SSL_CONN_CONFIG(verifypeer)) {
if(ret & MBEDTLS_X509_BADCERT_EXPIRED)
failf(data, "Cert verify failed: BADCERT_EXPIRED");
- if(ret & MBEDTLS_X509_BADCERT_REVOKED) {
+ else if(ret & MBEDTLS_X509_BADCERT_REVOKED)
failf(data, "Cert verify failed: BADCERT_REVOKED");
- return CURLE_PEER_FAILED_VERIFICATION;
- }
- if(ret & MBEDTLS_X509_BADCERT_NOT_TRUSTED)
+ else if(ret & MBEDTLS_X509_BADCERT_CN_MISMATCH)
+ failf(data, "Cert verify failed: BADCERT_CN_MISMATCH");
+
+ else if(ret & MBEDTLS_X509_BADCERT_NOT_TRUSTED)
failf(data, "Cert verify failed: BADCERT_NOT_TRUSTED");
return CURLE_PEER_FAILED_VERIFICATION;
}
- if(ret && SSL_CONN_CONFIG(verifyhost)) {
- if(ret & MBEDTLS_X509_BADCERT_CN_MISMATCH)
- failf(data, "Cert verify failed: BADCERT_CN_MISMATCH");
- return CURLE_PEER_FAILED_VERIFICATION;
- }
peercert = mbedtls_ssl_get_peer_cert(&BACKEND->ssl);