aboutsummaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
Diffstat (limited to 'lib')
-rw-r--r--lib/axtls.c28
1 files changed, 18 insertions, 10 deletions
diff --git a/lib/axtls.c b/lib/axtls.c
index 59c8a835e..21806403b 100644
--- a/lib/axtls.c
+++ b/lib/axtls.c
@@ -341,22 +341,30 @@ Curl_axtls_connect(struct connectdata *conn,
/* RFC2818 checks */
if(found_subject_alt_names && !found_subject_alt_name_matching_conn) {
- /* Break connection ! */
- Curl_axtls_close(conn, sockindex);
- free_ssl_structs(ssl_ctx, ssl);
- failf(data, "\tsubjectAltName(s) do not match %s\n", conn->host.dispname);
- return CURLE_PEER_FAILED_VERIFICATION;
+ if(data->set.ssl.verifyhost) {
+ /* Break connection ! */
+ Curl_axtls_close(conn, sockindex);
+ free_ssl_structs(ssl_ctx, ssl);
+ failf(data, "\tsubjectAltName(s) do not match %s\n",
+ conn->host.dispname);
+ return CURLE_PEER_FAILED_VERIFICATION;
+ }
+ else
+ infof(data, "\tsubjectAltName(s) do not match %s\n",
}
else if(found_subject_alt_names == 0) {
/* Per RFC2818, when no Subject Alt Names were available, examine the peer
CN as a legacy fallback */
peer_CN = ssl_get_cert_dn(ssl, SSL_X509_CERT_COMMON_NAME);
if(peer_CN == NULL) {
- /* Similar behaviour to the OpenSSL interface */
- Curl_axtls_close(conn, sockindex);
- free_ssl_structs(ssl_ctx, ssl);
- failf(data, "unable to obtain common name from peer certificate");
- return CURLE_PEER_FAILED_VERIFICATION;
+ if(data->set.ssl.verifyhost) {
+ Curl_axtls_close(conn, sockindex);
+ free_ssl_structs(ssl_ctx, ssl);
+ failf(data, "unable to obtain common name from peer certificate");
+ return CURLE_PEER_FAILED_VERIFICATION;
+ }
+ else
+ infof(data, "unable to obtain common name from peer certificate");
}
else {
if(!Curl_cert_hostcheck((const char *)peer_CN, conn->host.name)) {