nss: load CA certificates even with --insecure

... because they may include an intermediate certificate for a client certificate and the intermediate certificate needs to be presented to the server, no matter if we verify the peer or not. Reported-by: thraidh Closes #851
author: Kamil Dudka <kdudka@redhat.com> 2017-03-06 16:20:33 +0100
committer: Kamil Dudka <kdudka@redhat.com> 2017-04-10 13:44:52 +0200
commit: d29e9de146a5d56aea07fad43b0572b3a44fd3db (patch)
tree: 8f75383a294398edbb3faf3db003cb8a6b200c2b
parent: 764ad34cad3a097efb7fc4dd2f579e8d324c9be8 (diff)
1 files changed, 5 insertions, 2 deletions
diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
index 0149d7e37..1d7047a3d 100644
--- a/lib/vtls/nss.c
+++ b/lib/vtls/nss.c
@@ -1770,9 +1770,12 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
   if(SSL_HandshakeCallback(model, HandshakeCallback, conn) != SECSuccess)
     goto error;
 
-  if(SSL_CONN_CONFIG(verifypeer)) {
+  {
     const CURLcode rv = nss_load_ca_certificates(conn, sockindex);
-    if(rv) {
+    if((rv == CURLE_SSL_CACERT_BADFILE) && !SSL_CONN_CONFIG(verifypeer))
+      /* not a fatal error because we are not going to verify the peer */
+      infof(data, "warning: CA certificates failed to load\n");
+    else if(rv) {
       result = rv;
       goto error;
     }
author	Kamil Dudka <kdudka@redhat.com>	2017-03-06 16:20:33 +0100
committer	Kamil Dudka <kdudka@redhat.com>	2017-04-10 13:44:52 +0200
commit	d29e9de146a5d56aea07fad43b0572b3a44fd3db (patch)
tree	8f75383a294398edbb3faf3db003cb8a6b200c2b
parent	764ad34cad3a097efb7fc4dd2f579e8d324c9be8 (diff)