curl-library
Re: [PATCH] nss: fail with more verbose error message if common name does not match
Date: Thu, 13 Aug 2009 12:59:12 +0200 (CEST)
On Thu, 13 Aug 2009, Kamil Dudka wrote:
> could anybody do a review of the attached patch? It produces more a verbose
> error message if common name does not match. Additionally it does not ignore
> the value of CURLOPT_SSL_VERIFYHOST.
+ if(conn->data->set.ssl.verifypeer && conn->data->set.ssl.verifyhost) {
+ failf(conn->data, "common name '%s' does not match '%s'",
+ subject, conn->host.dispname);
This looks wrong to me:
'ssl.verifyhost' is the variable that controls the host name verification
against the names used within the certificate.
'ssl.verifypeer' is the variable that controls if the certificate is legit
from a CA standpoint.
They're rather separate from each other and you can opt to use one of them,
both or none. Doing the name checking dependent on both variables like the
snippet above, conflicts with this idea.
Or is there another more NSS-specific reason to do it this way?
-- / daniel.haxx.seReceived on 2009-08-13