From 375720dc1cf827e47dba388c86f649c9e20dbdb6 Mon Sep 17 00:00:00 2001 From: Georg Richter Date: Fri, 6 Sep 2024 10:58:57 +0200 Subject: [PATCH] GnuTLS fixes: To behave like OpenSSL and Schannel, we need to check the hostname, even if other checks failed before. --- libmariadb/secure/gnutls.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/libmariadb/secure/gnutls.c b/libmariadb/secure/gnutls.c index 836472ca..97d505d0 100644 --- a/libmariadb/secure/gnutls.c +++ b/libmariadb/secure/gnutls.c @@ -1463,13 +1463,12 @@ int ma_tls_verify_server_cert(MARIADB_TLS *ctls, unsigned int flags) if (status & GNUTLS_CERT_REVOKED) mysql->net.tls_verify_status|= MARIADB_TLS_VERIFY_REVOKED; if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) - if (flags & MARIADB_TLS_VERIFY_TRUST) - mysql->net.tls_verify_status|= MARIADB_TLS_VERIFY_TRUST; + mysql->net.tls_verify_status|= MARIADB_TLS_VERIFY_TRUST; if ((status & GNUTLS_CERT_NOT_ACTIVATED) || (status & GNUTLS_CERT_EXPIRED)) mysql->net.tls_verify_status|= MARIADB_TLS_VERIFY_PERIOD; } - if (!status && (flags & MARIADB_TLS_VERIFY_HOST)) + if ((flags & MARIADB_TLS_VERIFY_HOST)) { gnutls_x509_crt_t cert= ma_get_cert(ctls); int rc;