aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGaurav Malhotra <malhotrag@gmail.com>2018-04-03 18:11:27 +0530
committerDaniel Stenberg <daniel@haxx.se>2018-04-06 14:25:00 +0200
commit2536e2450b4b0364d83c315ad2ee01b67f514db0 (patch)
tree7d53fa64b5780189fdf4498f54d137cf9854cba0
parent336b6a32c0c9bec6bf6ccfc5942a3ce62ff34281 (diff)
Revert "openssl: Don't add verify locations when verifypeer==0"
This reverts commit dc85437736e1fc90e689bb1f6c51c8f1aa9430eb. libcurl (with the OpenSSL backend) performs server certificate verification even if verifypeer == 0 and the verification result is available using CURLINFO_SSL_VERIFYRESULT. The commit that is being reverted caused the CURLINFO_SSL_VERIFYRESULT to not have useful information for the verifypeer == 0 use case (it would always have X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY). Closes #2451
-rw-r--r--lib/vtls/openssl.c31
1 files changed, 16 insertions, 15 deletions
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 205d303ed..cbd89cbe4 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -2349,11 +2349,10 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
#endif
if(ssl_cafile || ssl_capath) {
- if(verifypeer) {
- /* tell SSL where to find CA certificates that are used to verify
- the servers certificate. */
- if(!SSL_CTX_load_verify_locations(BACKEND->ctx,
- ssl_cafile, ssl_capath)) {
+ /* tell SSL where to find CA certificates that are used to verify
+ the servers certificate. */
+ if(!SSL_CTX_load_verify_locations(BACKEND->ctx, ssl_cafile, ssl_capath)) {
+ if(verifypeer) {
/* Fail if we insist on successfully verifying the server. */
failf(data, "error setting certificate verify locations:\n"
" CAfile: %s\n CApath: %s",
@@ -2361,18 +2360,20 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
ssl_capath ? ssl_capath : "none");
return CURLE_SSL_CACERT_BADFILE;
}
- else {
- /* Everything is fine. */
- infof(data, "successfully set certificate verify locations:\n"
- " CAfile: %s\n CApath: %s\n",
- ssl_cafile ? ssl_cafile : "none",
- ssl_capath ? ssl_capath : "none");
- }
+ /* Just continue with a warning if no strict certificate verification
+ is required. */
+ infof(data, "error setting certificate verify locations,"
+ " continuing anyway:\n");
}
else {
- infof(data, "ignoring certificate verify locations due to "
- "disabled peer verification\n");
- }
+ /* Everything is fine. */
+ infof(data, "successfully set certificate verify locations:\n");
+ }
+ infof(data,
+ " CAfile: %s\n"
+ " CApath: %s\n",
+ ssl_cafile ? ssl_cafile : "none",
+ ssl_capath ? ssl_capath : "none");
}
#ifdef CURL_CA_FALLBACK
else if(verifypeer) {