diff options
| author | Daniel Stenberg <daniel@haxx.se> | 2015-01-19 23:18:58 +0100 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2015-01-19 23:20:13 +0100 |
| commit | be57f689b0e9e2573e53df43140e8f3f7575571c (patch) | |
| tree | 7666db7f551083ddb7b312756deaa3783ed0683f | |
| parent | fca58f6212a49cbbf26a896912fec938003064e7 (diff) | |
openssl: do public key pinning check independently
... of the other cert verification checks so that you can set verifyhost
and verifypeer to FALSE and still check the public key.
Bug: http://curl.haxx.se/bug/view.cgi?id=1471
Reported-by: Kyle J. McKay
| -rw-r--r-- | lib/vtls/openssl.c | 12 |
1 files changed, 7 insertions, 5 deletions
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index a68d88eae..fb001738b 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al. + * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -2592,6 +2592,10 @@ static CURLcode servercert(struct connectdata *conn, infof(data, "\t SSL certificate verify ok.\n"); } + if(!strict) + /* when not strict, we don't bother about the verify cert problems */ + result = CURLE_OK; + ptr = data->set.str[STRING_SSL_PINNEDPUBLICKEY]; if(!result && ptr) { result = pkp_pin_peer_pubkey(connssl->server_cert, ptr); @@ -2671,10 +2675,8 @@ static CURLcode ossl_connect_step3(struct connectdata *conn, int sockindex) * operations. */ - if(!data->set.ssl.verifypeer && !data->set.ssl.verifyhost) - (void)servercert(conn, connssl, FALSE); - else - result = servercert(conn, connssl, TRUE); + result = servercert(conn, connssl, + (data->set.ssl.verifypeer || data->set.ssl.verifyhost)); if(!result) connssl->connecting_state = ssl_connect_done; |