Commit 481094db authored by Daniel Stenberg's avatar Daniel Stenberg
Browse files

warn if no CN is available if verify is only set to 1

parent 840c0af0

lib/ssluse.c

+23 −14
Original line number Diff line number Diff line
@@ -1025,11 +1025,19 @@ Curl_SSLConnect(struct connectdata *conn) 
                                  NID_commonName,

                                  peer_CN,

                                  sizeof(peer_CN)) < 0) {

      /* Failed to get the CN field from the server's certificate */

      if (data->set.ssl.verifyhost > 1) {

        failf(data, "SSL: unable to obtain common name from peer certificate");

        X509_free(conn->ssl.server_cert);

        return CURLE_SSL_PEER_CERTIFICATE;

      }



      else

        /* Consider verifyhost == 1 as an "OK" for a missing CN field, but we

           output a note about the situation */

        infof(data, "\t common name: WARNING couldn't obtain\n");

    }

    else {

      /* Compare the CN field with the remote host name */

      if (!cert_hostcheck(peer_CN, conn->hostname)) {

        if (data->set.ssl.verifyhost > 1) {

          failf(data, "SSL: certificate subject name '%s' does not match "
@@ -1046,6 +1054,7 @@ Curl_SSLConnect(struct connectdata *conn) 
      else

        infof(data, "\t common name: %s (matched)\n", peer_CN);

    }

  }



  str = X509_NAME_oneline (X509_get_issuer_name  (conn->ssl.server_cert),

                           NULL, 0);