------------------------------------------------------------ revno: 13696 revision-id: squid3@treenet.co.nz-20141220153809-5ip8gdd8hotpqrb8 parent: squid3@treenet.co.nz-20141218130657-1d00v83qbt4t44zw author: Christos Tsantilas committer: Amos Jeffries branch nick: 3.5 timestamp: Sat 2014-12-20 07:38:09 -0800 message: Fix DONT_VERIFY_DOMAIN ssl flag The DONT_VERIFY_DOMAIN ssl flag set with the sslflags= option to cache_peer directive does not work correctly. ------------------------------------------------------------ # Bazaar merge directive format 2 (Bazaar 0.90) # revision_id: squid3@treenet.co.nz-20141220153809-5ip8gdd8hotpqrb8 # target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 # testament_sha1: 3f50e1c88508292d5dcdcd2c17abe7436a417635 # timestamp: 2014-12-20 15:50:51 +0000 # source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 # base_revision_id: squid3@treenet.co.nz-20141218130657-\ # 1d00v83qbt4t44zw # # Begin patch === modified file 'src/ssl/support.cc' --- src/ssl/support.cc 2014-10-07 14:11:12 +0000 +++ src/ssl/support.cc 2014-12-20 15:38:09 +0000 @@ -251,7 +251,7 @@ debugs(83, 5, "SSL Certificate signature OK: " << buffer); // Check for domain mismatch only if the current certificate is the peer certificate. - if (server && peer_cert == X509_STORE_CTX_get_current_cert(ctx)) { + if (!dont_verify_domain && server && peer_cert == X509_STORE_CTX_get_current_cert(ctx)) { if (!Ssl::checkX509ServerValidity(peer_cert, server)) { debugs(83, 2, "SQUID_X509_V_ERR_DOMAIN_MISMATCH: Certificate " << buffer << " does not match domainname " << server); ok = 0; @@ -322,8 +322,6 @@ } } - if (!dont_verify_domain && server) {} - if (!ok && !SSL_get_ex_data(ssl, ssl_ex_index_ssl_error_detail) ) { // Find the broken certificate. It may be intermediate.