Only provide a hostname to SecCreatePolicySSL when verifying

sethmlarson · sethmlarson · commit dead3d233ee1 · 2024-08-23T13:13:18.000-05:00
diff --git a/src/truststore/_macos.py b/src/truststore/_macos.py
@@ -367,7 +367,9 @@ def _verify_peercerts_impl(
     trust = None
     cf_error = None
     try:
-        if server_hostname is not None:
+        # Only set a hostname on the policy if we're verifying the hostname
+        # on the leaf certificate.
+        if server_hostname is not None and ssl_context.check_hostname:
             cf_str_hostname = None
             try:
                 cf_str_hostname = _bytes_to_cf_string(server_hostname.encode("ascii"))
@@ -458,11 +460,6 @@ def _verify_peercerts_impl(
                 or cf_error_code == CFConst.errSecCertificateExpired
             ):
                 is_trusted = True
-            elif (
-                not ssl_context.check_hostname
-                and cf_error_code == CFConst.errSecHostNameMismatch
-            ):
-                is_trusted = True
 
         # If we're still not trusted then we start to
         # construct and raise the SSLCertVerificationError.
