mirror/curl
2
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2024-11-27 05:50:21 +08:00
Code Issues Packages Projects Releases Wiki Activity

Revert "openssl: Don't add verify locations when verifypeer==0"

Browse Source 
This reverts commit dc85437736.

libcurl (with the OpenSSL backend) performs server certificate verification
even if verifypeer == 0 and the verification result is available using
CURLINFO_SSL_VERIFYRESULT. The commit that is being reverted caused the
CURLINFO_SSL_VERIFYRESULT to not have useful information for the
verifypeer == 0 use case (it would always have
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY).

Closes #2451
This commit is contained in:
Gaurav Malhotra 2018-04-03 18:11:27 +05:30 committed by Daniel Stenberg
parent 336b6a32c0
commit 2536e2450b
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
1 changed files with 15 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
lib/vtls/openssl.c
View File

@ -2349,11 +2349,10 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
#endif #endif
if(ssl_cafile || ssl_capath) { if(ssl_cafile || ssl_capath) {
if(verifypeer) { /* tell SSL where to find CA certificates that are used to verify
/* tell SSL where to find CA certificates that are used to verify the servers certificate. */
the servers certificate. */ if(!SSL_CTX_load_verify_locations(BACKEND->ctx, ssl_cafile, ssl_capath)) {
if(!SSL_CTX_load_verify_locations(BACKEND->ctx, if(verifypeer) {
ssl_cafile, ssl_capath)) {
/* Fail if we insist on successfully verifying the server. */ /* Fail if we insist on successfully verifying the server. */
failf(data, "error setting certificate verify locations:\n" failf(data, "error setting certificate verify locations:\n"
" CAfile: %s\n CApath: %s", " CAfile: %s\n CApath: %s",
@ -2361,18 +2360,20 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
ssl_capath ? ssl_capath : "none"); ssl_capath ? ssl_capath : "none");
return CURLE_SSL_CACERT_BADFILE; return CURLE_SSL_CACERT_BADFILE;
} }
else { /* Just continue with a warning if no strict certificate verification
/* Everything is fine. */ is required. */
infof(data, "successfully set certificate verify locations:\n" infof(data, "error setting certificate verify locations,"
" CAfile: %s\n CApath: %s\n", " continuing anyway:\n");
ssl_cafile ? ssl_cafile : "none",
ssl_capath ? ssl_capath : "none");
}
} }
else { else {
infof(data, "ignoring certificate verify locations due to " /* Everything is fine. */
"disabled peer verification\n"); infof(data, "successfully set certificate verify locations:\n");
} }
infof(data,
" CAfile: %s\n"
" CApath: %s\n",
ssl_cafile ? ssl_cafile : "none",
ssl_capath ? ssl_capath : "none");
} }
#ifdef CURL_CA_FALLBACK #ifdef CURL_CA_FALLBACK
else if(verifypeer) { else if(verifypeer) {