diff options
author | Nick Zitzmann <nickzman@gmail.com> | 2017-01-03 17:44:57 -0600 |
---|---|---|
committer | Nick Zitzmann <nickzman@gmail.com> | 2017-01-03 17:44:57 -0600 |
commit | ffbb0f0d37c3969eb59c2fb78ca8297e319960fa (patch) | |
tree | b2aee2b225d680b6168b11c6d9e4178cbaa997ca | |
parent | 4f2239c5cad235df5dec767b55767b47d0c7e561 (diff) |
darwinssl: --insecure overrides --cacert if both settings are in use
Fixes #1184
-rw-r--r-- | lib/vtls/darwinssl.c | 9 |
1 files changed, 2 insertions, 7 deletions
diff --git a/lib/vtls/darwinssl.c b/lib/vtls/darwinssl.c index 66d872708..7066281fe 100644 --- a/lib/vtls/darwinssl.c +++ b/lib/vtls/darwinssl.c @@ -1393,18 +1393,13 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn, } #endif /* CURL_BUILD_MAC_10_6 || CURL_BUILD_IOS */ - if(ssl_cafile) { + if(ssl_cafile && verifypeer) { bool is_cert_file = is_file(ssl_cafile); if(!is_cert_file) { failf(data, "SSL: can't load CA certificate file %s", ssl_cafile); return CURLE_SSL_CACERT_BADFILE; } - if(!verifypeer) { - failf(data, "SSL: CA certificate set, but certificate verification " - "is disabled"); - return CURLE_SSL_CONNECT_ERROR; - } } /* Configure hostname check. SNI is used if available. @@ -1929,7 +1924,7 @@ darwinssl_connect_step2(struct connectdata *conn, int sockindex) /* The below is errSSLServerAuthCompleted; it's not defined in Leopard's headers */ case -9841: - if(SSL_CONN_CONFIG(CAfile)) { + if(SSL_CONN_CONFIG(CAfile) && SSL_CONN_CONFIG(verifypeer)) { int res = verify_cert(SSL_CONN_CONFIG(CAfile), data, connssl->ssl_ctx); if(res != CURLE_OK) |