warn if no CN is available if verify is only set to 1

This commit is contained in:
Daniel Stenberg 2003-09-03 20:47:17 +00:00
Родитель 840c0af014
Коммит 481094db90
1 изменённых файлов: 23 добавлений и 14 удалений

Просмотреть файл

@ -1025,11 +1025,19 @@ Curl_SSLConnect(struct connectdata *conn)
NID_commonName,
peer_CN,
sizeof(peer_CN)) < 0) {
/* Failed to get the CN field from the server's certificate */
if (data->set.ssl.verifyhost > 1) {
failf(data, "SSL: unable to obtain common name from peer certificate");
X509_free(conn->ssl.server_cert);
return CURLE_SSL_PEER_CERTIFICATE;
}
else
/* Consider verifyhost == 1 as an "OK" for a missing CN field, but we
output a note about the situation */
infof(data, "\t common name: WARNING couldn't obtain\n");
}
else {
/* Compare the CN field with the remote host name */
if (!cert_hostcheck(peer_CN, conn->hostname)) {
if (data->set.ssl.verifyhost > 1) {
failf(data, "SSL: certificate subject name '%s' does not match "
@ -1046,6 +1054,7 @@ Curl_SSLConnect(struct connectdata *conn)
else
infof(data, "\t common name: %s (matched)\n", peer_CN);
}
}
str = X509_NAME_oneline (X509_get_issuer_name (conn->ssl.server_cert),
NULL, 0);