diff options
author | Gaurav Malhotra <malhotrag@gmail.com> | 2018-04-03 18:11:27 +0530 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2018-04-06 14:25:00 +0200 |
commit | 2536e2450b4b0364d83c315ad2ee01b67f514db0 (patch) | |
tree | 7d53fa64b5780189fdf4498f54d137cf9854cba0 | |
parent | 336b6a32c0c9bec6bf6ccfc5942a3ce62ff34281 (diff) |
Revert "openssl: Don't add verify locations when verifypeer==0"
This reverts commit dc85437736e1fc90e689bb1f6c51c8f1aa9430eb.
libcurl (with the OpenSSL backend) performs server certificate verification
even if verifypeer == 0 and the verification result is available using
CURLINFO_SSL_VERIFYRESULT. The commit that is being reverted caused the
CURLINFO_SSL_VERIFYRESULT to not have useful information for the
verifypeer == 0 use case (it would always have
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY).
Closes #2451
-rw-r--r-- | lib/vtls/openssl.c | 31 |
1 files changed, 16 insertions, 15 deletions
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index 205d303ed..cbd89cbe4 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -2349,11 +2349,10 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) #endif if(ssl_cafile || ssl_capath) { - if(verifypeer) { - /* tell SSL where to find CA certificates that are used to verify - the servers certificate. */ - if(!SSL_CTX_load_verify_locations(BACKEND->ctx, - ssl_cafile, ssl_capath)) { + /* tell SSL where to find CA certificates that are used to verify + the servers certificate. */ + if(!SSL_CTX_load_verify_locations(BACKEND->ctx, ssl_cafile, ssl_capath)) { + if(verifypeer) { /* Fail if we insist on successfully verifying the server. */ failf(data, "error setting certificate verify locations:\n" " CAfile: %s\n CApath: %s", @@ -2361,18 +2360,20 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) ssl_capath ? ssl_capath : "none"); return CURLE_SSL_CACERT_BADFILE; } - else { - /* Everything is fine. */ - infof(data, "successfully set certificate verify locations:\n" - " CAfile: %s\n CApath: %s\n", - ssl_cafile ? ssl_cafile : "none", - ssl_capath ? ssl_capath : "none"); - } + /* Just continue with a warning if no strict certificate verification + is required. */ + infof(data, "error setting certificate verify locations," + " continuing anyway:\n"); } else { - infof(data, "ignoring certificate verify locations due to " - "disabled peer verification\n"); - } + /* Everything is fine. */ + infof(data, "successfully set certificate verify locations:\n"); + } + infof(data, + " CAfile: %s\n" + " CApath: %s\n", + ssl_cafile ? ssl_cafile : "none", + ssl_capath ? ssl_capath : "none"); } #ifdef CURL_CA_FALLBACK else if(verifypeer) { |