wolfSSL HTTP/3 peer verification is lacking

[bagder]

I did this

build curl with ngtcp2 + nghttp3 + wolfSSL

Issue a request that should fail the certificate check, like this:

curl --http3 --resolve example:443:151.101.129.91 https://example

The problem is likely here:

curl/lib/vquic/vquic-tls.c

Lines 325 to 330 in c8e0cd1

	(void)data;
	if(conn_config->verifyhost) {
	if(!peer->sni ||
	wolfSSL_check_domain_name(ctx->ssl, peer->sni) == SSL_FAILURE)
	return CURLE_PEER_FAILED_VERIFICATION;
	}

This does not really verify the peer certificate. For TCP connections this works as it is wired into the wolfSSL connect() implementation and gives a special return code on such a fail.

I expected the following

A request to a server that fails the check should error out.

curl/libcurl version

git master

operating system

independent

[bagder]

@icing feel free to edit/follow-up with corrections or added details as you see fit

[bagder]

This appears to be a wolfSSL problem, would you agree @icing? I see nothing in the wolfSSL docs that suggests that this would not work for QUIC connections but only for TCP. Or am I missing something?

[icing]

I agree. I found no obvious way to do this with the wolfSSL API.

[bagder]

Since we believe this problem is in the wolfSSL end, I'm closing this issue.