aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorlloyd <[email protected]>2012-09-06 19:11:47 +0000
committerlloyd <[email protected]>2012-09-06 19:11:47 +0000
commit3c72c80e15d93c03f87356fdcadc43b7be444701 (patch)
treefb6bc08c81ad860187af3b876a9f811f894a30af /src
parentd7edd620da6a7576a90e6877fa0a8b3632864b9c (diff)
Move the hostname check last as it's the least 'important' error.
Only check it if the cert is otherwise valid.
Diffstat (limited to 'src')
-rw-r--r--src/credentials/credentials_manager.cpp6
1 files changed, 3 insertions, 3 deletions
diff --git a/src/credentials/credentials_manager.cpp b/src/credentials/credentials_manager.cpp
index a1f2c90df..95a54d1ae 100644
--- a/src/credentials/credentials_manager.cpp
+++ b/src/credentials/credentials_manager.cpp
@@ -101,9 +101,6 @@ void Credentials_Manager::verify_certificate_chain(
if(cert_chain.empty())
throw std::invalid_argument("Certificate chain was empty");
- if(purported_hostname != "" && !cert_chain[0].matches_dns_name(purported_hostname))
- throw std::runtime_error("Certificate did not match hostname");
-
auto trusted_CAs = trusted_certificate_authorities(type, purported_hostname);
Certificate_Store_In_Memory CAs;
@@ -120,6 +117,9 @@ void Credentials_Manager::verify_certificate_chain(
if(!CAs.certificate_known(result.trust_root()))
throw std::runtime_error("Certificate chain roots in unknown/untrusted CA");
+
+ if(purported_hostname != "" && !cert_chain[0].matches_dns_name(purported_hostname))
+ throw std::runtime_error("Certificate did not match hostname");
}
}