From a320fabd09f43c02c869c90a5a5a70a49dd77f89 Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Thu, 6 Nov 2014 21:22:18 +0000
Subject: EXPERIMENTAL_CERTNAMES: Hostlist for cert name checks should match
 host connected-to, not be list of acceptable names.  The name checked is the
 host name.

---
 src/src/tls-gnu.c     | 10 +++-------
 src/src/tls-openssl.c | 10 +++-------
 2 files changed, 6 insertions(+), 14 deletions(-)

(limited to 'src')

diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index 04de02d74..093b3a375 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -1846,17 +1846,13 @@ if ((  state->exp_tls_verify_certificates
    )
   {
 #ifdef EXPERIMENTAL_CERTNAMES
-  if (ob->tls_verify_cert_hostnames)
+  if (verify_check_host(&ob->tls_verify_cert_hostnames) == OK)
     {
     DEBUG(D_tls)
       debug_printf("TLS: server cert incl. hostname verification required.\n");
     state->verify_requirement = VERIFY_WITHHOST;
-    if (!expand_check(ob->tls_verify_cert_hostnames,
-		      US"tls_verify_cert_hostnames",
-		      &state->exp_tls_verify_cert_hostnames))
-      return FAIL;
-    if (state->exp_tls_verify_cert_hostnames)
-      DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
+    state->exp_tls_verify_cert_hostnames = host->name;
+    DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
 		      state->exp_tls_verify_cert_hostnames);
     }
   else
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 63bf83b1d..628860044 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -1692,14 +1692,10 @@ if ((!ob->tls_verify_hosts && !ob->tls_try_verify_hosts) ||
   client_verify_optional = FALSE;
 
 #ifdef EXPERIMENTAL_CERTNAMES
-  if (ob->tls_verify_cert_hostnames)
+  if (verify_check_host(&ob->tls_verify_cert_hostnames) == OK)
     {
-    if (!expand_check(ob->tls_verify_cert_hostnames,
-		      US"tls_verify_cert_hostnames",
-		      &cbinfo->verify_cert_hostnames))
-      return FAIL;
-    if (cbinfo->verify_cert_hostnames)
-      DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
+    cbinfo->verify_cert_hostnames = host->name;
+    DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
 		      cbinfo->verify_cert_hostnames);
     }
 #endif
-- 
cgit v1.2.3