SERVER-36942 Differentiate invalid hostname from invalid certificate

1 files changed, 4 insertions, 3 deletions

diff --git a/src/mongo/util/net/ssl_manager_apple.cpp b/src/mongo/util/net/ssl_manager_apple.cpp
index 6191b201cf6..885052d8537 100644
--- a/src/mongo/util/net/ssl_manager_apple.cpp
+++ b/src/mongo/util/net/ssl_manager_apple.cpp
@@ -1197,6 +1197,9 @@ StatusWith<std::pair<::SSLProtocol, ::SSLProtocol>> parseProtocolRange(const SSL
 Status SSLManagerApple::initSSLContext(asio::ssl::apple::Context* context,
                                        const SSLParams& params,
                                        ConnectionDirection direction) {
+    // Options.
+    context->allowInvalidHostnames = _allowInvalidHostnames;
+
     // Protocol Version.
     const auto swProto = parseProtocolRange(params);
     if (!swProto.isOK()) {
@@ -1367,9 +1370,7 @@ StatusWith<boost::optional<SSLPeerInfo>> SSLManagerApple::parseAndValidatePeerCe
     auto result = ::kSecTrustResultInvalid;
     uassertOSStatusOK(::SecTrustEvaluate(cftrust.get(), &result), ErrorCodes::SSLHandshakeFailed);
     if ((result != ::kSecTrustResultProceed) && (result != ::kSecTrustResultUnspecified)) {
-        const bool proceed = _allowInvalidCertificates ||
-            (_allowInvalidHostnames && (result == ::kSecTrustResultRecoverableTrustFailure));
-        return badCert(explainTrustFailure(cftrust.get(), result), proceed);
+        return badCert(explainTrustFailure(cftrust.get(), result), _allowInvalidCertificates);
     }
 
     auto cert = ::SecTrustGetCertificateAtIndex(cftrust.get(), 0);