- Peter Sylvester made the HTTPS test server use specific certificates for

each test, so that the test suite can now be used to actually test the verification of cert names etc. This made an error show up in the OpenSSL- specific code where it would attempt to match the CN field even if a subjectAltName exists that doesn't match. This is now fixed and verified in test 311.
author: Daniel Stenberg <daniel@haxx.se> 2009-08-11 21:48:58 +0000
committer: Daniel Stenberg <daniel@haxx.se> 2009-08-11 21:48:58 +0000
commit: e73fe837a8877c0197721b91e0d5ec40cb7a2cd0 (patch)
tree: 241c5ac517e86455b87876c56afafbeb26b3d1f8 /lib/ssluse.c
parent: a9caeb1064bf942a6c066a8c048f077409d1b937 (diff)
download: curl-e73fe837a8877c0197721b91e0d5ec40cb7a2cd0.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/lib/ssluse.c b/lib/ssluse.c
index 07824b411..bc1934cfc 100644
--- a/lib/ssluse.c
+++ b/lib/ssluse.c
@@ -1137,6 +1137,12 @@ static CURLcode verifyhost(struct connectdata *conn,
   if(matched)
     /* an alternative name matched the server hostname */
     infof(data, "\t subjectAltName: %s matched\n", conn->host.dispname);
+  else if(altnames) {
+    /* an alternative name field existed, but didn't match and then
+       we MUST fail */
+    infof(data, "\t subjectAltName does not match %s\n", conn->host.dispname);
+    res = CURLE_PEER_FAILED_VERIFICATION;
+  }
   else {
     /* we have to look to the last occurence of a commonName in the
        distinguished one to get the most significant one. */
author	Daniel Stenberg <daniel@haxx.se>	2009-08-11 21:48:58 +0000
committer	Daniel Stenberg <daniel@haxx.se>	2009-08-11 21:48:58 +0000
commit	e73fe837a8877c0197721b91e0d5ec40cb7a2cd0 (patch)
tree	241c5ac517e86455b87876c56afafbeb26b3d1f8 /lib/ssluse.c
parent	a9caeb1064bf942a6c066a8c048f077409d1b937 (diff)
download	curl-e73fe837a8877c0197721b91e0d5ec40cb7a2cd0.tar.gz