in that case, certificate verification fails, which seems to be the correct
behaviour. */
-if ( state->tls_verify_certificates && *state->tls_verify_certificates
-#ifndef SUPPORT_SYSDEFAULT_CABUNDLE
- && Ustrcmp(state->exp_tls_verify_certificates, "system") != 0
-#endif
- )
+if (state->tls_verify_certificates && *state->tls_verify_certificates)
{
if (!expand_check_tlsvar(tls_verify_certificates))
return DEFER;
+#ifndef SUPPORT_SYSDEFAULT_CABUNDLE
+ if (Ustrcmp(state->exp_tls_verify_certificates, "system") == 0)
+ state->exp_tls_verify_certificates = NULL;
+#endif
if (state->tls_crl && *state->tls_crl)
if (!expand_check_tlsvar(tls_crl))
return DEFER;
if ( ( state->exp_tls_verify_certificates
&& !ob->tls_verify_hosts
- && !ob->tls_try_verify_hosts
+ && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
)
|| verify_check_given_host(&ob->tls_verify_hosts, host) == OK
)