warn if no CN is available if verify is only set to 1

author: Daniel Stenberg <daniel@haxx.se> 2003-09-03 20:47:17 +0000
committer: Daniel Stenberg <daniel@haxx.se> 2003-09-03 20:47:17 +0000
commit: 481094db905dbc4b1eb6c70519b0b3b1487415ef (patch)
tree: fcc8585f9afe489bbfebb6c2cbf6fd2113884e13 /lib/ssluse.c
parent: 840c0af01431b891c50b2777d564313b6e42375a (diff)
1 files changed, 23 insertions, 14 deletions
diff --git a/lib/ssluse.c b/lib/ssluse.c
index a31cb13dc..14142822b 100644
--- a/lib/ssluse.c
+++ b/lib/ssluse.c
@@ -1025,26 +1025,35 @@ Curl_SSLConnect(struct connectdata *conn)
                                   NID_commonName,
                                   peer_CN,
                                   sizeof(peer_CN)) < 0) {
-      failf(data, "SSL: unable to obtain common name from peer certificate");
-      X509_free(conn->ssl.server_cert);
-      return CURLE_SSL_PEER_CERTIFICATE;
-    }
-
-    if (!cert_hostcheck(peer_CN, conn->hostname)) {
+      /* Failed to get the CN field from the server's certificate */
       if (data->set.ssl.verifyhost > 1) {
-        failf(data, "SSL: certificate subject name '%s' does not match "
-              "target host name '%s'",
-              peer_CN, conn->hostname);
+        failf(data, "SSL: unable to obtain common name from peer certificate");
         X509_free(conn->ssl.server_cert);
         return CURLE_SSL_PEER_CERTIFICATE;
       }
       else
-        infof(data,
-              "\t common name: %s (does not match '%s')\n",
-              peer_CN, conn->hostname);
+        /* Consider verifyhost == 1 as an "OK" for a missing CN field, but we
+           output a note about the situation */
+        infof(data, "\t common name: WARNING couldn't obtain\n");
+    }
+    else {
+      /* Compare the CN field with the remote host name */
+      if (!cert_hostcheck(peer_CN, conn->hostname)) {
+        if (data->set.ssl.verifyhost > 1) {
+          failf(data, "SSL: certificate subject name '%s' does not match "
+                "target host name '%s'",
+                peer_CN, conn->hostname);
+          X509_free(conn->ssl.server_cert);
+          return CURLE_SSL_PEER_CERTIFICATE;
+        }
+        else
+          infof(data,
+                "\t common name: %s (does not match '%s')\n",
+                peer_CN, conn->hostname);
+      }
+      else
+        infof(data, "\t common name: %s (matched)\n", peer_CN);
     }
-    else
-      infof(data, "\t common name: %s (matched)\n", peer_CN);
   }
 
   str = X509_NAME_oneline (X509_get_issuer_name  (conn->ssl.server_cert),
author	Daniel Stenberg <daniel@haxx.se>	2003-09-03 20:47:17 +0000
committer	Daniel Stenberg <daniel@haxx.se>	2003-09-03 20:47:17 +0000
commit	481094db905dbc4b1eb6c70519b0b3b1487415ef (patch)
tree	fcc8585f9afe489bbfebb6c2cbf6fd2113884e13 /lib/ssluse.c
parent	840c0af01431b891c50b2777d564313b6e42375a (diff)