diff options
author | Kamil Dudka <kdudka@redhat.com> | 2009-08-13 16:04:51 +0000 |
---|---|---|
committer | Kamil Dudka <kdudka@redhat.com> | 2009-08-13 16:04:51 +0000 |
commit | 6293fe98a030dc776f38dec97e8241cb09cdd170 (patch) | |
tree | d44311eba134062663458118e1011b1ada4a6e94 | |
parent | 5c716247aa1595cb7e8388edfc5a4be026a403e3 (diff) |
- Changed NSS code to not ignore the value of ssl.verifyhost and produce more
verbose error messages. Originally reported at:
https://bugzilla.redhat.com/show_bug.cgi?id=516056
-rw-r--r-- | CHANGES | 5 | ||||
-rw-r--r-- | lib/nss.c | 23 |
2 files changed, 24 insertions, 4 deletions
@@ -6,6 +6,11 @@ Changelog +Kamil Dudka (13 Aug 2009) +- Changed NSS code to not ignore the value of ssl.verifyhost and produce more + verbose error messages. Originally reported at: + https://bugzilla.redhat.com/show_bug.cgi?id=516056 + Daniel Stenberg (12 Aug 2009) - Karl Moerder fixed the Makefile.vc* makefiles to include the new file nonblock.c so that they work fine again @@ -615,16 +615,26 @@ static SECStatus BadCertHandler(void *arg, PRFileDesc *sock) issuer); break; case SSL_ERROR_BAD_CERT_DOMAIN: - if(conn->data->set.ssl.verifypeer) + if(conn->data->set.ssl.verifyhost) { + failf(conn->data, "common name '%s' does not match '%s'", + subject, conn->host.dispname); success = SECFailure; - infof(conn->data, "common name: %s (does not match '%s')\n", - subject, conn->host.dispname); + } else { + infof(conn->data, "warning: common name '%s' does not match '%s'\n", + subject, conn->host.dispname); + } break; case SEC_ERROR_EXPIRED_CERTIFICATE: if(conn->data->set.ssl.verifypeer) success = SECFailure; infof(conn->data, "Remote Certificate has expired.\n"); break; + case SEC_ERROR_UNKNOWN_ISSUER: + if(conn->data->set.ssl.verifypeer) + success = SECFailure; + infof(conn->data, "Peer's certificate issuer is not recognized: '%s'\n", + issuer); + break; default: if(conn->data->set.ssl.verifypeer) success = SECFailure; @@ -1067,6 +1077,9 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) } } + if(data->set.ssl.verifyhost == 1) + infof(data, "warning: ignoring unsupported value (1) of ssl.verifyhost\n"); + data->set.ssl.certverifyresult=0; /* not checked yet */ if(SSL_BadCertHook(model, (SSLBadCertHandler) BadCertHandler, conn) != SECSuccess) { @@ -1200,7 +1213,9 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) if(SSL_ForceHandshakeWithTimeout(connssl->handle, PR_SecondsToInterval(HANDSHAKE_TIMEOUT)) != SECSuccess) { - if(conn->data->set.ssl.certverifyresult!=0) + if(conn->data->set.ssl.certverifyresult == SSL_ERROR_BAD_CERT_DOMAIN) + curlerr = CURLE_PEER_FAILED_VERIFICATION; + else if(conn->data->set.ssl.certverifyresult!=0) curlerr = CURLE_SSL_CACERT; goto error; } |