mbedtls: use VERIFYHOST

Previously, VERIFYPEER would enable/disable all checks. Reported-by: Eric Rosenquist Fixes #3376 Closes #3380
author: Daniel Stenberg <daniel@haxx.se> 2018-12-17 13:08:41 +0100
committer: Daniel Stenberg <daniel@haxx.se> 2018-12-17 23:36:42 +0100
commit: f097669248a877dece74fdb525e82bfe1b69df90 (patch)
tree: fdc5b42dd28b273dc2ba2ad5c960a4f8207abbd4
parent: d8a9de62034cff6153ab78cff3e3ae30f786ec39 (diff)
1 files changed, 5 insertions, 3 deletions
diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
index 6a20e276e..ec1c13d95 100644
--- a/lib/vtls/mbedtls.c
+++ b/lib/vtls/mbedtls.c
@@ -583,14 +583,16 @@ mbed_connect_step2(struct connectdata *conn,
       return CURLE_PEER_FAILED_VERIFICATION;
     }
 
-    if(ret & MBEDTLS_X509_BADCERT_CN_MISMATCH)
-      failf(data, "Cert verify failed: BADCERT_CN_MISMATCH");
-
     if(ret & MBEDTLS_X509_BADCERT_NOT_TRUSTED)
       failf(data, "Cert verify failed: BADCERT_NOT_TRUSTED");
 
     return CURLE_PEER_FAILED_VERIFICATION;
   }
+  if(ret && SSL_CONN_CONFIG(verifyhost)) {
+    if(ret & MBEDTLS_X509_BADCERT_CN_MISMATCH)
+      failf(data, "Cert verify failed: BADCERT_CN_MISMATCH");
+    return CURLE_PEER_FAILED_VERIFICATION;
+  }
 
   peercert = mbedtls_ssl_get_peer_cert(&BACKEND->ssl);
author	Daniel Stenberg <daniel@haxx.se>	2018-12-17 13:08:41 +0100
committer	Daniel Stenberg <daniel@haxx.se>	2018-12-17 23:36:42 +0100
commit	f097669248a877dece74fdb525e82bfe1b69df90 (patch)
tree	fdc5b42dd28b273dc2ba2ad5c960a4f8207abbd4
parent	d8a9de62034cff6153ab78cff3e3ae30f786ec39 (diff)