ssl: make cert check ignore work for invalid certs, not just CNs

Passing SSL_VERIFY_PEER makes OpenSSL shut down the connection if the
certificate is invalid, without giving us a chance to ignore that
error. Pass SSL_VERIFY_NONE and call SSL_get_verify_result if the user
wanted us to check.

When no CNs match, we used to jump to on_error which gave a bogus
error as that's for OpenSSL errors. Jump to cert_fail so we tell the
user that the error came from checking the certificate.

1 files changed, 6 insertions, 2 deletions

diff --git a/src/netops.c b/src/netops.c
index 49a0308b..f622e0d1 100644
--- a/src/netops.c
+++ b/src/netops.c
@@ -238,6 +238,10 @@ static int verify_server_cert(git_transport *t, const char *host)
 	void *addr;
 	int i = -1,j;
 
+	if (SSL_get_verify_result(t->ssl.ssl) != X509_V_OK) {
+		giterr_set(GITERR_SSL, "The SSL certificate is invalid");
+		return -1;
+	}
 
 	/* Try to parse the host as an IP address to see if it is */
 	if (inet_pton(AF_INET, host, &addr4)) {
@@ -286,7 +290,7 @@ static int verify_server_cert(git_transport *t, const char *host)
 	GENERAL_NAMES_free(alts);
 
 	if (matched == 0)
-		goto on_error;
+		goto cert_fail;
 
 	if (matched == 1)
 		return 0;
@@ -354,7 +358,7 @@ static int ssl_setup(git_transport *t, const char *host)
 		return ssl_set_error(&t->ssl, 0);
 
 	SSL_CTX_set_mode(t->ssl.ctx, SSL_MODE_AUTO_RETRY);
-	SSL_CTX_set_verify(t->ssl.ctx, SSL_VERIFY_PEER, NULL);
+	SSL_CTX_set_verify(t->ssl.ctx, SSL_VERIFY_NONE, NULL);
 	if (!SSL_CTX_set_default_verify_paths(t->ssl.ctx))
 		return ssl_set_error(&t->ssl, 0);