Only provide a hostname to SecCreatePolicySSL when verifying

sethmlarson · sethmlarson · commit fdcb7aa54961 · 2024-10-22T09:34:25.000-05:00
diff --git a/src/truststore/_macos.py b/src/truststore/_macos.py
@@ -386,7 +386,9 @@ def _verify_peercerts_impl(
     policies = None
     trust = None
     try:
-        if server_hostname is not None:
+        # Only set a hostname on the policy if we're verifying the hostname
+        # on the leaf certificate.
+        if server_hostname is not None and ssl_context.check_hostname:
             cf_str_hostname = None
             try:
                 cf_str_hostname = _bytes_to_cf_string(server_hostname.encode("ascii"))
@@ -539,11 +541,6 @@ def _verify_peercerts_impl_macos_10_14(
             or cf_error_code == CFConst.errSecCertificateExpired
         ):
             is_trusted = True
-        elif (
-            not ssl_context.check_hostname
-            and cf_error_code == CFConst.errSecHostNameMismatch
-        ):
-            is_trusted = True
 
     # If we're still not trusted then we start to
     # construct and raise the SSLCertVerificationError.
