From: Aki Tuomi Date: Mon, 25 Feb 2019 15:44:09 +0000 (+0200) Subject: lib-ssl-iostream: Call ssl_iostream_check_cert_validity as default X-Git-Tag: 2.3.9~761 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2dea2f87f63898cacf84378cfc324d9c4af804b9;p=thirdparty%2Fdovecot%2Fcore.git lib-ssl-iostream: Call ssl_iostream_check_cert_validity as default Unless callback is specified, call ssl_iostream_check_cert_validity instead of ssl_iostream_cert_match_name to make sure we perform same checks consistently. --- diff --git a/src/lib-ssl-iostream/iostream-openssl.c b/src/lib-ssl-iostream/iostream-openssl.c index b0393361d5..16e4ca33e0 100644 --- a/src/lib-ssl-iostream/iostream-openssl.c +++ b/src/lib-ssl-iostream/iostream-openssl.c @@ -673,10 +673,8 @@ static int openssl_iostream_handshake(struct ssl_iostream *ssl_io) } } else if (ssl_io->connected_host != NULL && !ssl_io->handshake_failed && !ssl_io->allow_invalid_cert) { - if (!ssl_iostream_cert_match_name(ssl_io, ssl_io->connected_host, &reason)) { - openssl_iostream_set_error(ssl_io, t_strdup_printf( - "SSL certificate doesn't match expected host name %s: %s", - ssl_io->connected_host, reason)); + if (ssl_iostream_check_cert_validity(ssl_io, ssl_io->connected_host, &reason) < 0) { + openssl_iostream_set_error(ssl_io, reason); ssl_io->handshake_failed = TRUE; } }