Unverified Commit f0976692 authored by Daniel Stenberg's avatar Daniel Stenberg
Browse files

mbedtls: use VERIFYHOST 

Previously, VERIFYPEER would enable/disable all checks.

Reported-by: Eric Rosenquist
Fixes #3376
Closes #3380
parent d8a9de62

lib/vtls/mbedtls.c

+5 −3
Original line number Diff line number Diff line
@@ -583,14 +583,16 @@ mbed_connect_step2(struct connectdata *conn, 
      return CURLE_PEER_FAILED_VERIFICATION;

    }



    if(ret & MBEDTLS_X509_BADCERT_CN_MISMATCH)

      failf(data, "Cert verify failed: BADCERT_CN_MISMATCH");



    if(ret & MBEDTLS_X509_BADCERT_NOT_TRUSTED)

      failf(data, "Cert verify failed: BADCERT_NOT_TRUSTED");



    return CURLE_PEER_FAILED_VERIFICATION;

  }

  if(ret && SSL_CONN_CONFIG(verifyhost)) {

    if(ret & MBEDTLS_X509_BADCERT_CN_MISMATCH)

      failf(data, "Cert verify failed: BADCERT_CN_MISMATCH");

    return CURLE_PEER_FAILED_VERIFICATION;

  }



  peercert = mbedtls_ssl_get_peer_cert(&BACKEND->ssl);