From: Aki Tuomi <aki.tuomi@dovecot.fi>
Date: Tue, 27 Mar 2018 07:20:54 +0000 (+0300)
Subject: lib-ssl-iostream: Do not skip cert name check if invalid cert is allowed
X-Git-Tag: 2.3.2.rc1~89
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b2bae07836e882d290a9b812a3275581ec94bf67;p=thirdparty%2Fdovecot%2Fcore.git

lib-ssl-iostream: Do not skip cert name check if invalid cert is allowed

Caller should be responsible for ignoring this error, not us.
All the locations calling here are dealing this correctly.
---

diff --git a/src/lib-ssl-iostream/iostream-openssl.c b/src/lib-ssl-iostream/iostream-openssl.c
index 8e194046aa..a8ce19ad41 100644
--- a/src/lib-ssl-iostream/iostream-openssl.c
+++ b/src/lib-ssl-iostream/iostream-openssl.c
@@ -613,8 +613,6 @@ static bool
 openssl_iostream_cert_match_name(struct ssl_iostream *ssl_io,
 				 const char *verify_name, const char **reason_r)
 {
-	if (ssl_io->allow_invalid_cert)
-		return TRUE;
 	if (!ssl_iostream_has_valid_client_cert(ssl_io)) {
 		*reason_r = "Invalid certificate";
 		return FALSE;
@@ -654,7 +652,8 @@ static int openssl_iostream_handshake(struct ssl_iostream *ssl_io)
 			openssl_iostream_set_error(ssl_io, error);
 			ssl_io->handshake_failed = TRUE;
 		}
-	} else if (ssl_io->connected_host != NULL && !ssl_io->handshake_failed) {
+       } else if (ssl_io->connected_host != NULL && !ssl_io->handshake_failed &&
+		  !ssl_io->allow_invalid_cert) {
 		if (!ssl_iostream_cert_match_name(ssl_io, ssl_io->connected_host, &reason)) {
 			openssl_iostream_set_error(ssl_io, t_strdup_printf(
 				"SSL certificate doesn't match expected host name %s: %s",