Only provide a hostname to SecCreatePolicySSL when verifying

sethmlarson · Aug 23, 2024 · dead3d2 · dead3d2
1 parent 6fa65ab
commit dead3d2
Showing 1 changed file with 3 additions and 6 deletions.
diff --git a/src/truststore/_macos.py b/src/truststore/_macos.py
@@ -367,7 +367,9 @@ def _verify_peercerts_impl(
     trust = None
     cf_error = None
     try:
-        if server_hostname is not None:
+        # Only set a hostname on the policy if we're verifying the hostname
+        # on the leaf certificate.
+        if server_hostname is not None and ssl_context.check_hostname:
             cf_str_hostname = None
             try:
                 cf_str_hostname = _bytes_to_cf_string(server_hostname.encode("ascii"))
@@ -458,11 +460,6 @@ def _verify_peercerts_impl(
                 or cf_error_code == CFConst.errSecCertificateExpired
             ):
                 is_trusted = True
-            elif (
-                not ssl_context.check_hostname
-                and cf_error_code == CFConst.errSecHostNameMismatch
-            ):
-                is_trusted = True
 
         # If we're still not trusted then we start to
         # construct and raise the SSLCertVerificationError.