From: mike <mike@7a7537e8-13f0-0310-91df-b6672ffda945>
Date: Fri, 16 Sep 2011 00:37:18 +0000 (+0000)
Subject: Don't validate the server name against the common name in the server's certificate
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3856a0981782ea01fc7916c6cd02fab87a37534f;p=thirdparty%2Fcups.git

Don't validate the server name against the common name in the server's certificate
since it rarely matches.


git-svn-id: svn+ssh://src.apple.com/svn/cups/cups.org/trunk@10004 7a7537e8-13f0-0310-91df-b6672ffda945
---

diff --git a/cups/http.c b/cups/http.c
index 6c4cc65c64..e56b5c3fc2 100644
--- a/cups/http.c
+++ b/cups/http.c
@@ -4006,6 +4006,18 @@ http_setup_ssl(http_t *http)		/* I - Connection to server */
   }
 #    endif /* HAVE_SSLSETPROTOCOLVERSIONMAX */
 
+ /*
+  * In general, don't verify certificates since things like the common name
+  * often do not match...
+  */
+
+  if (!error)
+  {
+    error = SSLSetEnableCertVerify(http->tls, false);
+    DEBUG_printf(("4http_setup_ssl: SSLSetEnableCertVerify, error=%d",
+                  (int)error));
+  }
+
 #    ifdef HAVE_SECCERTIFICATECOPYDATA
   if (!error)
   {
@@ -4031,20 +4043,18 @@ http_setup_ssl(http_t *http)		/* I - Connection to server */
 
   if (!error && cg->server_cert_cb != NULL)
   {
-    error = SSLSetEnableCertVerify(http->tls, false);
-    DEBUG_printf(("4http_setup_ssl: SSLSetEnableCertVerify, error=%d",
-                  (int)error));
-
-    if (!error)
-    {
-      error = SSLSetSessionOption(http->tls,
-				  kSSLSessionOptionBreakOnServerAuth, true);
-      DEBUG_printf(("4http_setup_ssl: kSSLSessionOptionBreakOnServerAuth, "
-                    "error=%d", (int)error));
-    }
+    error = SSLSetSessionOption(http->tls,
+				kSSLSessionOptionBreakOnServerAuth, true);
+    DEBUG_printf(("4http_setup_ssl: kSSLSessionOptionBreakOnServerAuth, "
+		  "error=%d", (int)error));
   }
 #    endif /* HAVE_SECCERTIFICATECOPYDATA */
 
+ /*
+  * Let the server know which hostname/domain we are trying to connect to
+  * in case it wants to serve up a certificate with a matching common name.
+  */
+
   if (!error)
   {
     hostname = httpAddrLocalhost(http->hostaddr) ? "localhost" : http->hostname;
@@ -4087,8 +4097,8 @@ http_setup_ssl(http_t *http)		/* I - Connection to server */
 		httpFreeCredentials(credentials);
 	      }
 
-	      DEBUG_printf(("4http_setup_ssl: Server certificate callback returned "
-			    "%d.", (int)error));
+	      DEBUG_printf(("4http_setup_ssl: Server certificate callback "
+	                    "returned %d.", (int)error));
 	    }
 	    break;