Skip to content

If hostname verification fails, store_context.error is V_OK #244

@joshcooper

Description

@joshcooper

#60 enabled hostname verification by default, as many applications using SSLSockets directly don't know or remember to call post_connection_check.

One unexpected outcome is if an application implements a verify_callback and verification fails, then it is called with preverify_ok=false, but the store_context.error=0 which is OpenSSL::X509::V_OK! This could cause problems if an application assumes store_context.error == 0 means verification succeeded.

If a hostname mismatch is detected, I would expect store_context.error to be set to OpenSSL::X509::V_ERR_CERT_REJECTED so that there is no chance of confusion.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions