OpenSSL: Fix client-side tls_verify_cert_hostnames behaviour

author: Jeremy Harris <jgh146exb@wizmail.org> 2020-09-26 15:35:58 +0100
committer: Jeremy Harris <jgh146exb@wizmail.org> 2020-09-26 15:52:44 +0100
commit: 4cfb21b860882e76c3d3147b01708b347d0f9a0d (patch)
tree: 50973ae96ddfa46926054ceb3871807c7a89d940 /src
parent: fdf263214d6536aba14944283ffc131597870a46 (diff)
1 files changed, 10 insertions, 5 deletions
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 5bc9f8f53..6ce20f143 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -2894,12 +2894,17 @@ tls_client_basic_ctx_init(SSL_CTX * ctx,
     uschar ** errstr)
 {
 int rc;
-/* stick to the old behaviour for compatibility if tls_verify_certificates is
-   set but both tls_verify_hosts and tls_try_verify_hosts is not set. Check only
-   the specified host patterns if one of them is defined */
 
-if (  (  !ob->tls_verify_hosts
-      && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
+/* Back-compatible old behaviour if tls_verify_certificates is set but both
+tls_verify_hosts and tls_try_verify_hosts are not set. Check only the specified
+host patterns if one of them is set with content. */
+
+if (  (  (  !ob->tls_verify_hosts || !ob->tls_verify_hosts
+	 || Ustrcmp(ob->tls_try_verify_hosts, ":") == 0
+	 )
+      && (  !ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts
+	 || Ustrcmp(ob->tls_try_verify_hosts, ":") == 0
+         )
       )
    || verify_check_given_host(CUSS &ob->tls_verify_hosts, host) == OK
    )
author	Jeremy Harris <jgh146exb@wizmail.org>	2020-09-26 15:35:58 +0100
committer	Jeremy Harris <jgh146exb@wizmail.org>	2020-09-26 15:52:44 +0100
commit	4cfb21b860882e76c3d3147b01708b347d0f9a0d (patch)
tree	50973ae96ddfa46926054ceb3871807c7a89d940 /src
parent	fdf263214d6536aba14944283ffc131597870a46 (diff)