Don't validate the server name against the common name in the server's certificate

since it rarely matches.

git-svn-id: svn+ssh://src.apple.com/svn/cups/cups.org/trunk@10004 7a7537e8-13f0-0310-91df-b6672ffda945

diff --git a/cups/http.c b/cups/http.c
index 6c4cc65c645f42d7902f76b3fd7d272beb13a7a3..e56b5c3fc254227b0676d7db393657d46b32cf67 100644 (file)
--- a/cups/http.c
+++ b/cups/http.c
@@ -4006,6 +4006,18 @@ http_setup_ssl(http_t *http)             /* I - Connection to server */
   }
 #    endif /* HAVE_SSLSETPROTOCOLVERSIONMAX */
 
+ /*
+  * In general, don't verify certificates since things like the common name
+  * often do not match...
+  */
+
+  if (!error)
+  {
+    error = SSLSetEnableCertVerify(http->tls, false);
+    DEBUG_printf(("4http_setup_ssl: SSLSetEnableCertVerify, error=%d",
+                  (int)error));
+  }
+
 #    ifdef HAVE_SECCERTIFICATECOPYDATA
   if (!error)
   {
@@ -4031,20 +4043,18 @@ http_setup_ssl(http_t *http)            /* I - Connection to server */
 
   if (!error && cg->server_cert_cb != NULL)
   {
-    error = SSLSetEnableCertVerify(http->tls, false);
-    DEBUG_printf(("4http_setup_ssl: SSLSetEnableCertVerify, error=%d",
-                  (int)error));
-
-    if (!error)
-    {
-      error = SSLSetSessionOption(http->tls,
-                                 kSSLSessionOptionBreakOnServerAuth, true);
-      DEBUG_printf(("4http_setup_ssl: kSSLSessionOptionBreakOnServerAuth, "
-                    "error=%d", (int)error));
-    }
+    error = SSLSetSessionOption(http->tls,
+                               kSSLSessionOptionBreakOnServerAuth, true);
+    DEBUG_printf(("4http_setup_ssl: kSSLSessionOptionBreakOnServerAuth, "
+                 "error=%d", (int)error));
   }
 #    endif /* HAVE_SECCERTIFICATECOPYDATA */
 
+ /*
+  * Let the server know which hostname/domain we are trying to connect to
+  * in case it wants to serve up a certificate with a matching common name.
+  */
+
   if (!error)
   {
     hostname = httpAddrLocalhost(http->hostaddr) ? "localhost" : http->hostname;
@@ -4087,8 +4097,8 @@ http_setup_ssl(http_t *http)              /* I - Connection to server */
                httpFreeCredentials(credentials);
              }
 
-             DEBUG_printf(("4http_setup_ssl: Server certificate callback returned "
-                           "%d.", (int)error));
+             DEBUG_printf(("4http_setup_ssl: Server certificate callback "
+                           "returned %d.", (int)error));
            }
            break;