From f125fc6a22167f3d52c97763e555b2d7d654788e Mon Sep 17 00:00:00 2001
From: Luca Boccassi <luca.boccassi@gmail.com>
Date: Mon, 13 Apr 2026 21:02:10 +0100
Subject: [PATCH] journal-upload: also disable VERIFYHOST when --trust=all is
 used

When --trust=all disables CURLOPT_SSL_VERIFYPEER, the residual
CURLOPT_SSL_VERIFYHOST check is ineffective since an attacker can
present a self-signed certificate with the expected hostname. Disable
both for consistency and log that server certificate verification is
disabled.

Follow-up for 8847551bcbfa8265bae04f567bb1aadc7b480325
---
 src/journal-remote/journal-upload.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/journal-remote/journal-upload.c b/src/journal-remote/journal-upload.c
index c4eab80a1fc..e6cb5dabc26 100644
--- a/src/journal-remote/journal-upload.c
+++ b/src/journal-remote/journal-upload.c
@@ -307,10 +307,13 @@ int start_upload(Uploader *u,
                                     LOG_ERR, return -EXFULL);
                 }
 
-                if (STRPTR_IN_SET(arg_trust, "-", "all"))
+                if (STRPTR_IN_SET(arg_trust, "-", "all")) {
+                        log_info("Server certificate verification disabled.");
                         easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L,
                                     LOG_ERR, return -EUCLEAN);
-                else if (arg_trust || startswith(u->url, "https://"))
+                        easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0L,
+                                    LOG_ERR, return -EUCLEAN);
+                } else if (arg_trust || startswith(u->url, "https://"))
                         easy_setopt(curl, CURLOPT_CAINFO, arg_trust ?: TRUST_FILE,
                                     LOG_ERR, return -EXFULL);
 
-- 
2.47.3