warn if no CN is available if verify is only set to 1
This commit is contained in:
Родитель
840c0af014
Коммит
481094db90
11
lib/ssluse.c
11
lib/ssluse.c
|
@ -1025,11 +1025,19 @@ Curl_SSLConnect(struct connectdata *conn)
|
|||
NID_commonName,
|
||||
peer_CN,
|
||||
sizeof(peer_CN)) < 0) {
|
||||
/* Failed to get the CN field from the server's certificate */
|
||||
if (data->set.ssl.verifyhost > 1) {
|
||||
failf(data, "SSL: unable to obtain common name from peer certificate");
|
||||
X509_free(conn->ssl.server_cert);
|
||||
return CURLE_SSL_PEER_CERTIFICATE;
|
||||
}
|
||||
|
||||
else
|
||||
/* Consider verifyhost == 1 as an "OK" for a missing CN field, but we
|
||||
output a note about the situation */
|
||||
infof(data, "\t common name: WARNING couldn't obtain\n");
|
||||
}
|
||||
else {
|
||||
/* Compare the CN field with the remote host name */
|
||||
if (!cert_hostcheck(peer_CN, conn->hostname)) {
|
||||
if (data->set.ssl.verifyhost > 1) {
|
||||
failf(data, "SSL: certificate subject name '%s' does not match "
|
||||
|
@ -1046,6 +1054,7 @@ Curl_SSLConnect(struct connectdata *conn)
|
|||
else
|
||||
infof(data, "\t common name: %s (matched)\n", peer_CN);
|
||||
}
|
||||
}
|
||||
|
||||
str = X509_NAME_oneline (X509_get_issuer_name (conn->ssl.server_cert),
|
||||
NULL, 0);
|
||||
|
|
Загрузка…
Ссылка в новой задаче