]> granicus.if.org Git - curl/commitdiff
projects / curl / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: d8a9de6)
mbedtls: use VERIFYHOST
authorDaniel Stenberg <daniel@haxx.se>
Mon, 17 Dec 2018 12:08:41 +0000 (13:08 +0100)
committerDaniel Stenberg <daniel@haxx.se>
Mon, 17 Dec 2018 22:36:42 +0000 (23:36 +0100)
Previously, VERIFYPEER would enable/disable all checks.

Reported-by: Eric Rosenquist
Fixes #3376
Closes #3380

lib/vtls/mbedtls.c patch | blob | history

diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
index 6a20e276e366659645c092567f4d4945d1aeb5e0..ec1c13d959230fd3c46cfa74c13457b88bc793e6 100644 (file)
--- a/lib/vtls/mbedtls.c
+++ b/lib/vtls/mbedtls.c
@@ -583,14 +583,16 @@ mbed_connect_step2(struct connectdata *conn,
       return CURLE_PEER_FAILED_VERIFICATION;
     }
 
-    if(ret & MBEDTLS_X509_BADCERT_CN_MISMATCH)
-      failf(data, "Cert verify failed: BADCERT_CN_MISMATCH");
-
     if(ret & MBEDTLS_X509_BADCERT_NOT_TRUSTED)
       failf(data, "Cert verify failed: BADCERT_NOT_TRUSTED");
 
     return CURLE_PEER_FAILED_VERIFICATION;
   }
+  if(ret && SSL_CONN_CONFIG(verifyhost)) {
+    if(ret & MBEDTLS_X509_BADCERT_CN_MISMATCH)
+      failf(data, "Cert verify failed: BADCERT_CN_MISMATCH");
+    return CURLE_PEER_FAILED_VERIFICATION;
+  }
 
   peercert = mbedtls_ssl_get_peer_cert(&BACKEND->ssl);
 
Unnamed repository; edit this file 'description' to name the repository.