From: Christos Tsantilas <chtsanti@users.sourceforge.net>
Date: Thu, 18 Dec 2014 16:06:50 +0000 (+0200)
Subject: Fix DONT_VERIFY_DOMAIN ssl flag
X-Git-Tag: merge-candidate-3-v1~430
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2e52fa2b743b0a42371bce9c1f05f74ef698081b;p=thirdparty%2Fsquid.git

Fix DONT_VERIFY_DOMAIN ssl flag

The DONT_VERIFY_DOMAIN ssl flag set with the sslflags= option to cache_peer
directive does not work correctly.
---

diff --git a/src/ssl/support.cc b/src/ssl/support.cc
index 86ff058366..bd9595bbf1 100644
--- a/src/ssl/support.cc
+++ b/src/ssl/support.cc
@@ -252,7 +252,7 @@ ssl_verify_cb(int ok, X509_STORE_CTX * ctx)
         debugs(83, 5, "SSL Certificate signature OK: " << buffer);
 
         // Check for domain mismatch only if the current certificate is the peer certificate.
-        if (server && peer_cert == X509_STORE_CTX_get_current_cert(ctx)) {
+        if (!dont_verify_domain && server && peer_cert == X509_STORE_CTX_get_current_cert(ctx)) {
             if (!Ssl::checkX509ServerValidity(peer_cert, server)) {
                 debugs(83, 2, "SQUID_X509_V_ERR_DOMAIN_MISMATCH: Certificate " << buffer << " does not match domainname " << server);
                 ok = 0;
@@ -323,8 +323,6 @@ ssl_verify_cb(int ok, X509_STORE_CTX * ctx)
         }
     }
 
-    if (!dont_verify_domain && server) {}
-
     if (!ok && !SSL_get_ex_data(ssl, ssl_ex_index_ssl_error_detail) ) {
 
         // Find the broken certificate. It may be intermediate.