From faa2435e3311b692dbed3abf9077c44e37d7f9e4 Mon Sep 17 00:00:00 2001
From: kytv <kytv@mail.i2p>
Date: Sat, 24 May 2014 13:13:35 +0000
Subject: [PATCH] checkremotecerts: fail if CN doesn't match

Since all reseed hosts now have proper certificates with matching CNs, I'm
making this script enforce a stricter policy, requiring matching CNs.
---
 tests/scripts/checkremotecerts.sh | 15 +++------------
 1 file changed, 3 insertions(+), 12 deletions(-)

diff --git a/tests/scripts/checkremotecerts.sh b/tests/scripts/checkremotecerts.sh
index b13d182bed..cf48848f22 100755
--- a/tests/scripts/checkremotecerts.sh
+++ b/tests/scripts/checkremotecerts.sh
@@ -126,18 +126,9 @@ check_hosts() {
             # GnuTLS returns "certificate is trusted"
             # GnuTLS v2 has the word "Peer" before certificate, v3 has the word "The" before it
             if ! grep -q 'Verify return code: 0 (ok)\|certificate is trusted' "$WORK/$HOST"; then
-                # If we end up here it's for one of two probable reasons:
-                # 1) the the CN in the certificate doesn't match the hostname.
-                # 2) the certificate is invalid
-
-                # OpenSSL returns code 21 with self-signed certs.
-                # GnuTLS returns "certificate issuer is unknown"
-                # As noted above, GnuTLS v2 has the word "Peer" before certificate, v3 has the word "The" before it
-
-                # If the CN just doesn't match the hostname, pass
-                if ! grep -q 'Verify return code: 21\|certificate issuer is unknown\|self signed' "$WORK/$HOST"; then : ;else
-                    verify_fingerprint $HOST
-                fi
+                # If we end up here, it's possible that the certificate is valid, but CA: false is set in the certificate.
+                # The OpenSSL binary is "picky" about this. GnuTLS doesn't seem to be.
+                verify_fingerprint $HOST
             fi
             echo
         else
-- 
GitLab