lib-ssl-iostream: Do not skip cert name check if invalid cert is allowed

Caller should be responsible for ignoring this error, not us.
All the locations calling here are dealing this correctly.

diff --git a/src/lib-ssl-iostream/iostream-openssl.c b/src/lib-ssl-iostream/iostream-openssl.c
index 8e194046aa3d134a944de88f567373c10f82b479..a8ce19ad41183867382fbf8be4b48e2e56b5f956 100644 (file)
--- a/src/lib-ssl-iostream/iostream-openssl.c
+++ b/src/lib-ssl-iostream/iostream-openssl.c
@@ -613,8 +613,6 @@ static bool
 openssl_iostream_cert_match_name(struct ssl_iostream *ssl_io,
                                 const char *verify_name, const char **reason_r)
 {
-       if (ssl_io->allow_invalid_cert)
-               return TRUE;
        if (!ssl_iostream_has_valid_client_cert(ssl_io)) {
                *reason_r = "Invalid certificate";
                return FALSE;
@@ -654,7 +652,8 @@ static int openssl_iostream_handshake(struct ssl_iostream *ssl_io)
                        openssl_iostream_set_error(ssl_io, error);
                        ssl_io->handshake_failed = TRUE;
                }
-       } else if (ssl_io->connected_host != NULL && !ssl_io->handshake_failed) {
+       } else if (ssl_io->connected_host != NULL && !ssl_io->handshake_failed &&
+                 !ssl_io->allow_invalid_cert) {
                if (!ssl_iostream_cert_match_name(ssl_io, ssl_io->connected_host, &reason)) {
                        openssl_iostream_set_error(ssl_io, t_strdup_printf(
                                "SSL certificate doesn't match expected host name %s: %s",