Commit b0fd03f5 authored by Daniel Stenberg's avatar Daniel Stenberg
Browse files

certcheck: use the custom Host: name for checks 

If you use a custom Host: name in a request to a SSL server, libcurl
will now use that given name when it verifies the server certificate to
be correct rather than using the host name used in the actual URL.
parent 4b2fbe1e

lib/ssluse.c

+8 −4
Original line number Diff line number Diff line
@@ -1125,16 +1125,20 @@ static CURLcode verifyhost(struct connectdata *conn, 
  struct in_addr addr;

#endif

  CURLcode res = CURLE_OK;

  char *hostname;



  hostname = conn->allocptr.customhost?conn->allocptr.customhost:

    conn->host.name;



#ifdef ENABLE_IPV6

  if(conn->bits.ipv6_ip &&

     Curl_inet_pton(AF_INET6, conn->host.name, &addr)) {

     Curl_inet_pton(AF_INET6, hostname, &addr)) {

    target = GEN_IPADD;

    addrlen = sizeof(struct in6_addr);

  }

  else

#endif

    if(Curl_inet_pton(AF_INET, conn->host.name, &addr)) {

    if(Curl_inet_pton(AF_INET, hostname, &addr)) {

      target = GEN_IPADD;

      addrlen = sizeof(struct in_addr);

    }
@@ -1176,7 +1180,7 @@ static CURLcode verifyhost(struct connectdata *conn, 
          if((altlen == strlen(altptr)) &&

             /* if this isn't true, there was an embedded zero in the name

                string and we cannot match it. */

             cert_hostcheck(altptr, conn->host.name))

             cert_hostcheck(altptr, hostname))

            matched = 1;

          else

            matched = 0;
@@ -1278,7 +1282,7 @@ static CURLcode verifyhost(struct connectdata *conn, 
            "SSL: unable to obtain common name from peer certificate");

      res = CURLE_PEER_FAILED_VERIFICATION;

    }

    else if(!cert_hostcheck((const char *)peer_CN, conn->host.name)) {

    else if(!cert_hostcheck((const char *)peer_CN, hostname)) {

      if(data->set.ssl.verifyhost > 1) {

        failf(data, "SSL: certificate subject name '%s' does not match "

              "target host name '%s'", peer_CN, conn->host.dispname);