mbedtls: follow-up VERIFYHOST fix from f097669248

author Daniel Stenberg <daniel@haxx.se>

Wed, 19 Dec 2018 07:46:39 +0000 (08:46 +0100)

committer Daniel Stenberg <daniel@haxx.se>

Thu, 20 Dec 2018 10:00:34 +0000 (11:00 +0100)
author Daniel Stenberg <daniel@haxx.se>
Wed, 19 Dec 2018 07:46:39 +0000 (08:46 +0100)
committer Daniel Stenberg <daniel@haxx.se>
Thu, 20 Dec 2018 10:00:34 +0000 (11:00 +0100)
diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c

index ec1c13d959230fd3c46cfa74c13457b88bc793e6..88256a8614a204484609ac62a91320dce18675c9 100644 (file)
--- a/lib/vtls/mbedtls.c
+++ b/lib/vtls/mbedtls.c
@@ -574,25 +574,25 @@ mbed_connect_step2(struct connectdata *conn,
  
    ret = mbedtls_ssl_get_verify_result(&BACKEND->ssl);
  
+  if(!SSL_CONN_CONFIG(verifyhost))
+    /* Ignore hostname errors if verifyhost is disabled */
+    ret &= ~MBEDTLS_X509_BADCERT_CN_MISMATCH;
+
    if(ret && SSL_CONN_CONFIG(verifypeer)) {
      if(ret & MBEDTLS_X509_BADCERT_EXPIRED)
        failf(data, "Cert verify failed: BADCERT_EXPIRED");
  
-    if(ret & MBEDTLS_X509_BADCERT_REVOKED) {
+    else if(ret & MBEDTLS_X509_BADCERT_REVOKED)
        failf(data, "Cert verify failed: BADCERT_REVOKED");
-      return CURLE_PEER_FAILED_VERIFICATION;
-    }
  
-    if(ret & MBEDTLS_X509_BADCERT_NOT_TRUSTED)
+    else if(ret & MBEDTLS_X509_BADCERT_CN_MISMATCH)
+      failf(data, "Cert verify failed: BADCERT_CN_MISMATCH");
+
+    else if(ret & MBEDTLS_X509_BADCERT_NOT_TRUSTED)
        failf(data, "Cert verify failed: BADCERT_NOT_TRUSTED");
  
      return CURLE_PEER_FAILED_VERIFICATION;
    }
-  if(ret && SSL_CONN_CONFIG(verifyhost)) {
-    if(ret & MBEDTLS_X509_BADCERT_CN_MISMATCH)
-      failf(data, "Cert verify failed: BADCERT_CN_MISMATCH");
-    return CURLE_PEER_FAILED_VERIFICATION;
-  }
  
    peercert = mbedtls_ssl_get_peer_cert(&BACKEND->ssl);
author	Daniel Stenberg <daniel@haxx.se>
	Wed, 19 Dec 2018 07:46:39 +0000 (08:46 +0100)
committer	Daniel Stenberg <daniel@haxx.se>
	Thu, 20 Dec 2018 10:00:34 +0000 (11:00 +0100)