- if (!tls_postconnect_verify_host(tls, bsock->host())) {
- Qmsg1(bsock->jcr(), M_FATAL, 0, _("TLS host certificate verification failed. Host %s did not match presented certificate\n"),
- bsock->host());
- goto err;
+ /* If there's an Allowed CN verify list, use that to validate the remote
+ * certificate's CN. Otherwise, we use standard host/CN matching. */
+ if (verify_list) {
+ if (!tls_postconnect_verify_cn(tls, verify_list)) {
+ Qmsg1(bsock->jcr, M_FATAL, 0, _("TLS certificate verification failed."
+ " Peer certificate did not match a required commonName\n"),
+ bsock->host);
+ goto err;
+ }
+ } else {
+ if (!tls_postconnect_verify_host(tls, bsock->host())) {
+ Qmsg1(bsock->jcr(), M_FATAL, 0, _("TLS host certificate verification failed. Host %s did not match presented certificate\n"),
+ bsock->host());
+ goto err;
+ }