From e73fe837a8877c0197721b91e0d5ec40cb7a2cd0 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Tue, 11 Aug 2009 21:48:58 +0000
Subject: - Peter Sylvester made the HTTPS test server use specific
 certificates for   each test, so that the test suite can now be used to
 actually test the   verification of cert names etc. This made an error show
 up in the OpenSSL-   specific code where it would attempt to match the CN
 field even if a   subjectAltName exists that doesn't match. This is now fixed
 and verified   in test 311.

---
 lib/ssluse.c | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'lib')

diff --git a/lib/ssluse.c b/lib/ssluse.c
index 07824b411..bc1934cfc 100644
--- a/lib/ssluse.c
+++ b/lib/ssluse.c
@@ -1137,6 +1137,12 @@ static CURLcode verifyhost(struct connectdata *conn,
   if(matched)
     /* an alternative name matched the server hostname */
     infof(data, "\t subjectAltName: %s matched\n", conn->host.dispname);
+  else if(altnames) {
+    /* an alternative name field existed, but didn't match and then
+       we MUST fail */
+    infof(data, "\t subjectAltName does not match %s\n", conn->host.dispname);
+    res = CURLE_PEER_FAILED_VERIFICATION;
+  }
   else {
     /* we have to look to the last occurence of a commonName in the
        distinguished one to get the most significant one. */
-- 
cgit v1.2.3