mirror/curl
2
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2024-12-03 06:20:31 +08:00
Code Issues Packages Projects Releases Wiki Activity

darwinssl: --insecure overrides --cacert if both settings are in use

Browse Source 
Fixes #1184
This commit is contained in:
Nick Zitzmann 2017-01-03 17:44:57 -06:00
parent 4f2239c5ca
commit ffbb0f0d37
1 changed files with 2 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
lib/vtls/darwinssl.c
View File

@ -1393,18 +1393,13 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
} }
#endif /* CURL_BUILD_MAC_10_6 || CURL_BUILD_IOS */ #endif /* CURL_BUILD_MAC_10_6 || CURL_BUILD_IOS */
if(ssl_cafile) { if(ssl_cafile && verifypeer) {
bool is_cert_file = is_file(ssl_cafile); bool is_cert_file = is_file(ssl_cafile);
if(!is_cert_file) { if(!is_cert_file) {
failf(data, "SSL: can't load CA certificate file %s", ssl_cafile); failf(data, "SSL: can't load CA certificate file %s", ssl_cafile);
return CURLE_SSL_CACERT_BADFILE; return CURLE_SSL_CACERT_BADFILE;
} }
if(!verifypeer) {
failf(data, "SSL: CA certificate set, but certificate verification "
"is disabled");
return CURLE_SSL_CONNECT_ERROR;
}
} }
/* Configure hostname check. SNI is used if available. /* Configure hostname check. SNI is used if available.
@ -1929,7 +1924,7 @@ darwinssl_connect_step2(struct connectdata *conn, int sockindex)
/* The below is errSSLServerAuthCompleted; it's not defined in /* The below is errSSLServerAuthCompleted; it's not defined in
Leopard's headers */ Leopard's headers */
case -9841: case -9841:
if(SSL_CONN_CONFIG(CAfile)) { if(SSL_CONN_CONFIG(CAfile) && SSL_CONN_CONFIG(verifypeer)) {
int res = verify_cert(SSL_CONN_CONFIG(CAfile), data, int res = verify_cert(SSL_CONN_CONFIG(CAfile), data,
connssl->ssl_ctx); connssl->ssl_ctx);
if(res != CURLE_OK) if(res != CURLE_OK)