aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel Stenberg <daniel@haxx.se>2015-01-19 23:18:58 +0100
committerDaniel Stenberg <daniel@haxx.se>2015-01-19 23:20:13 +0100
commitbe57f689b0e9e2573e53df43140e8f3f7575571c (patch)
tree7666db7f551083ddb7b312756deaa3783ed0683f
parentfca58f6212a49cbbf26a896912fec938003064e7 (diff)
openssl: do public key pinning check independently
... of the other cert verification checks so that you can set verifyhost and verifypeer to FALSE and still check the public key. Bug: http://curl.haxx.se/bug/view.cgi?id=1471 Reported-by: Kyle J. McKay
-rw-r--r--lib/vtls/openssl.c12
1 files changed, 7 insertions, 5 deletions
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index a68d88eae..fb001738b 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -5,7 +5,7 @@
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
- * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
@@ -2592,6 +2592,10 @@ static CURLcode servercert(struct connectdata *conn,
infof(data, "\t SSL certificate verify ok.\n");
}
+ if(!strict)
+ /* when not strict, we don't bother about the verify cert problems */
+ result = CURLE_OK;
+
ptr = data->set.str[STRING_SSL_PINNEDPUBLICKEY];
if(!result && ptr) {
result = pkp_pin_peer_pubkey(connssl->server_cert, ptr);
@@ -2671,10 +2675,8 @@ static CURLcode ossl_connect_step3(struct connectdata *conn, int sockindex)
* operations.
*/
- if(!data->set.ssl.verifypeer && !data->set.ssl.verifyhost)
- (void)servercert(conn, connssl, FALSE);
- else
- result = servercert(conn, connssl, TRUE);
+ result = servercert(conn, connssl,
+ (data->set.ssl.verifypeer || data->set.ssl.verifyhost));
if(!result)
connssl->connecting_state = ssl_connect_done;