aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--lib/ssluse.c37
1 files changed, 23 insertions, 14 deletions
diff --git a/lib/ssluse.c b/lib/ssluse.c
index a31cb13dc..14142822b 100644
--- a/lib/ssluse.c
+++ b/lib/ssluse.c
@@ -1025,26 +1025,35 @@ Curl_SSLConnect(struct connectdata *conn)
NID_commonName,
peer_CN,
sizeof(peer_CN)) < 0) {
- failf(data, "SSL: unable to obtain common name from peer certificate");
- X509_free(conn->ssl.server_cert);
- return CURLE_SSL_PEER_CERTIFICATE;
- }
-
- if (!cert_hostcheck(peer_CN, conn->hostname)) {
+ /* Failed to get the CN field from the server's certificate */
if (data->set.ssl.verifyhost > 1) {
- failf(data, "SSL: certificate subject name '%s' does not match "
- "target host name '%s'",
- peer_CN, conn->hostname);
+ failf(data, "SSL: unable to obtain common name from peer certificate");
X509_free(conn->ssl.server_cert);
return CURLE_SSL_PEER_CERTIFICATE;
}
else
- infof(data,
- "\t common name: %s (does not match '%s')\n",
- peer_CN, conn->hostname);
+ /* Consider verifyhost == 1 as an "OK" for a missing CN field, but we
+ output a note about the situation */
+ infof(data, "\t common name: WARNING couldn't obtain\n");
+ }
+ else {
+ /* Compare the CN field with the remote host name */
+ if (!cert_hostcheck(peer_CN, conn->hostname)) {
+ if (data->set.ssl.verifyhost > 1) {
+ failf(data, "SSL: certificate subject name '%s' does not match "
+ "target host name '%s'",
+ peer_CN, conn->hostname);
+ X509_free(conn->ssl.server_cert);
+ return CURLE_SSL_PEER_CERTIFICATE;
+ }
+ else
+ infof(data,
+ "\t common name: %s (does not match '%s')\n",
+ peer_CN, conn->hostname);
+ }
+ else
+ infof(data, "\t common name: %s (matched)\n", peer_CN);
}
- else
- infof(data, "\t common name: %s (matched)\n", peer_CN);
}
str = X509_NAME_oneline (X509_get_issuer_name (conn->ssl.server_cert),