sectransp_connect_step1: bail out if SSLSetPeerDomainName fails #8798
Conversation
Before the code would just warn about SSLSetPeerDomainName() errors.
|
Was the intention to continue even if SSLSetPeerDomainName fails? There is a "WARNING" there which makes me think so. @nickzman |
|
I'm not sure if this is even necessary. If you look at the function's internal implementation, you'll see that it fails only under two circumstances: the context is not set, and the session is already active. Neither of which will ever be hit unless the code in this function gets scrambled, so I will be very surprised if this function fails for anyone anywhere. @piru , what are you trying to accomplish? |
|
@nickzman Defensive programming. The API call has an error code. If the error code is set, the operation can be assumed to have failed. Continuing when this operation has failed will (likely) result in security check bypass (hostname will not be validated). Now, if the function can practically never fail, what's the harm in checking the result code and bailing out if error occurred? Also: What is this code trying to accomplish by continuing even if error occurred? |
|
Okay. Although it's not likely to fail, I'm okay with this change. Thanks! |
|
Thanks! |
Before the code would only warn about SSLSetPeerDomainName() errors.
Caller requested host verification and if we can't do it we must fail to connect.