cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: [PATCH] nss: fail with more verbose error message if common name does not match

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Thu, 13 Aug 2009 12:59:12 +0200 (CEST)

On Thu, 13 Aug 2009, Kamil Dudka wrote:

> could anybody do a review of the attached patch? It produces more a verbose
> error message if common name does not match. Additionally it does not ignore
> the value of CURLOPT_SSL_VERIFYHOST.

+ if(conn->data->set.ssl.verifypeer && conn->data->set.ssl.verifyhost) {
+ failf(conn->data, "common name '%s' does not match '%s'",
+ subject, conn->host.dispname);

This looks wrong to me:

  'ssl.verifyhost' is the variable that controls the host name verification
  against the names used within the certificate.

  'ssl.verifypeer' is the variable that controls if the certificate is legit
  from a CA standpoint.

They're rather separate from each other and you can opt to use one of them,
both or none. Doing the name checking dependent on both variables like the
snippet above, conflicts with this idea.

Or is there another more NSS-specific reason to do it this way?

-- 
  / daniel.haxx.se
Received on 2009-08-13