axtls: honor disabled VERIFYHOST

When VERIFYHOST == 0, libcurl should let invalid certificates to pass.

diff --git a/lib/axtls.c b/lib/axtls.c
index 59c8a835ec40cd170b904509376799aa944c3b8f..21806403b96e98947fe93f0bc97f158721ed9514 100644 (file)
--- a/lib/axtls.c
+++ b/lib/axtls.c
@@ -341,22 +341,30 @@ Curl_axtls_connect(struct connectdata *conn,
 
   /* RFC2818 checks */
   if(found_subject_alt_names && !found_subject_alt_name_matching_conn) {
-    /* Break connection ! */
-    Curl_axtls_close(conn, sockindex);
-    free_ssl_structs(ssl_ctx, ssl);
-    failf(data, "\tsubjectAltName(s) do not match %s\n", conn->host.dispname);
-    return CURLE_PEER_FAILED_VERIFICATION;
+    if(data->set.ssl.verifyhost) {
+      /* Break connection ! */
+      Curl_axtls_close(conn, sockindex);
+      free_ssl_structs(ssl_ctx, ssl);
+      failf(data, "\tsubjectAltName(s) do not match %s\n",
+            conn->host.dispname);
+      return CURLE_PEER_FAILED_VERIFICATION;
+    }
+    else
+      infof(data, "\tsubjectAltName(s) do not match %s\n",
   }
   else if(found_subject_alt_names == 0) {
     /* Per RFC2818, when no Subject Alt Names were available, examine the peer
        CN as a legacy fallback */
     peer_CN = ssl_get_cert_dn(ssl, SSL_X509_CERT_COMMON_NAME);
     if(peer_CN == NULL) {
-      /* Similar behaviour to the OpenSSL interface */
-      Curl_axtls_close(conn, sockindex);
-      free_ssl_structs(ssl_ctx, ssl);
-      failf(data, "unable to obtain common name from peer certificate");
-      return CURLE_PEER_FAILED_VERIFICATION;
+      if(data->set.ssl.verifyhost) {
+        Curl_axtls_close(conn, sockindex);
+        free_ssl_structs(ssl_ctx, ssl);
+        failf(data, "unable to obtain common name from peer certificate");
+        return CURLE_PEER_FAILED_VERIFICATION;
+      }
+      else
+        infof(data, "unable to obtain common name from peer certificate");
     }
     else {
       if(!Curl_cert_hostcheck((const char *)peer_CN, conn->host.name)) {