#60 enabled hostname verification by default, as many applications using SSLSockets directly don't know or remember to call post_connection_check.
One unexpected outcome is if an application implements a verify_callback and verification fails, then it is called with preverify_ok=false, but the store_context.error=0 which is OpenSSL::X509::V_OK! This could cause problems if an application assumes store_context.error == 0 means verification succeeded.
If a hostname mismatch is detected, I would expect store_context.error to be set to OpenSSL::X509::V_ERR_CERT_REJECTED so that there is no chance of confusion.
#60 enabled hostname verification by default, as many applications using SSLSockets directly don't know or remember to call
post_connection_check.One unexpected outcome is if an application implements a
verify_callbackand verification fails, then it is called withpreverify_ok=false, but thestore_context.error=0which isOpenSSL::X509::V_OK! This could cause problems if an application assumesstore_context.error == 0means verification succeeded.If a hostname mismatch is detected, I would expect
store_context.errorto be set toOpenSSL::X509::V_ERR_CERT_REJECTEDso that there is no chance of confusion.