From 1e5dfdc840824723dfa142707aca1f0fca4c0056 Mon Sep 17 00:00:00 2001
From: Jaakko Keränen <jaakko.keranen@iki.fi>
Date: Fri, 26 Mar 2021 11:14:57 +0200
Subject: GmCerts: Relaxed domain verification

Allow a certificate for a higher-level domain to be verified against any subdomains, i.e., implicitly assume every certificate uses wildcards.

CA verification is still done separately, and OpenSSL does that strictly as before.
---
 src/gmrequest.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'src/gmrequest.c')

diff --git a/src/gmrequest.c b/src/gmrequest.c
index f065f935..c968990c 100644
--- a/src/gmrequest.c
+++ b/src/gmrequest.c
@@ -157,7 +157,7 @@ static void checkServerCertificate_GmRequest_(iGmRequest *d) {
         if (!isExpired_TlsCertificate(cert)) {
             resp->certFlags |= timeVerified_GmCertFlag;
         }
-        if (verifyDomain_TlsCertificate(cert, domain)) {
+        if (verifyDomain_GmCerts(cert, domain)) {
             resp->certFlags |= domainVerified_GmCertFlag;
         }
         if (checkTrust_GmCerts(d->certs, domain, cert)) {
-- 
cgit v1.2.3