cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Changed logic in verifyhost()

From: Erland Costyson <erland.costyson_at_gmail.com>
Date: Mon, 23 May 2016 20:48:52 +0200

On Mon, May 23, 2016 at 8:22 PM, Daniel Stenberg <daniel_at_haxx.se> wrote:

> I'm not following. If that condition equals false, then we haven't found a
> match yet so it remains set to FALSE. Isn't that good?
>

In 7,47.1 "if if(check->type == target)" is false matched will still be -1 so

if(matched == 1)
  /* an alternative name matched the server hostname */
  infof(data, "\t subjectAltName: %s matched\n", conn->host.dispname);
else if(matched == 0) {
  /* an alternative name field existed, but didn't match and then - we
MUST fail */
  infof(data, "\t subjectAltName does not match %s\n", conn->host.dispname);
else {
.....

will go to the last "else" and continue checking the certificate and I
get a successful result.

in 7.48 we will go to the CURLE_PEER_FAILED_VERIFICATION as it has an
altname but not of the same type.

if(matched)
  /* an alternative name matched */;
else if(altnames) {
   /* an alternative name field existed, but didn't match and then we
MUST + fail */
   infof(data, " subjectAltName does not match %s\n", conn->host.dispname);
   failf(data, "SSL: no alternative certificate subject name matches "
"target host name '%s'", conn->host.dispname);
   result = CURLE_PEER_FAILED_VERIFICATION;
} else {

//Erland
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2016-05-23