Ben fixed this in r1568349. Thanks, Ben.
- Julian
Julian Foad wrote:
> This commit is causing a change of behaviour for me against the Apache svn
> repo.
[...]
>> + svn_boolean_t found_san_entry;
>>
>> @@ -232,6 +233,7 @@ ssl_server_cert(void *baton, int failure
>> /* Try to find matching server name via subjectAltName first... */
>> if (san) {
>
> Here, "san" is false (no SubjectAltName found), so found_san_entry
> remains uninitialized...
>
>> int i;
>> + found_san_entry = san->nelts > 0;
>> for (i = 0; i < san->nelts; i++) {
>> @@ -243,8 +245,11 @@ ssl_server_cert(void *baton, int failure
>> }
>> }
>>
>> - /* Match server certificate CN with the hostname of the server */
>> - if (!found_matching_hostname)
>> + /* Match server certificate CN with the hostname of the server iff
>> + * we didn't find any subjectAltName fields and try to match them.
>> + * Per RFC 2818 they are authoritative if present and CommonName
>> + * should be ignored. */
>> + if (!found_matching_hostname && !found_san_entry)
>> {
>
> ... and here we skip this block because found_san_entry is -134885336 i.e.
> "true".
>
> This results in the certificate being considered invalid.
>
> - Julian
