darwinssl: --insecure overrides --cacert if both settings are in use

Fixes #1184
author: Nick Zitzmann <nickzman@gmail.com> 2017-01-03 17:44:57 -0600
committer: Nick Zitzmann <nickzman@gmail.com> 2017-01-03 17:44:57 -0600
commit: ffbb0f0d37c3969eb59c2fb78ca8297e319960fa (patch)
tree: b2aee2b225d680b6168b11c6d9e4178cbaa997ca /lib/vtls/darwinssl.c
parent: 4f2239c5cad235df5dec767b55767b47d0c7e561 (diff)
1 files changed, 2 insertions, 7 deletions
diff --git a/lib/vtls/darwinssl.c b/lib/vtls/darwinssl.c
index 66d872708..7066281fe 100644
--- a/lib/vtls/darwinssl.c
+++ b/lib/vtls/darwinssl.c
@@ -1393,18 +1393,13 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
   }
 #endif /* CURL_BUILD_MAC_10_6 || CURL_BUILD_IOS */
 
-  if(ssl_cafile) {
+  if(ssl_cafile && verifypeer) {
     bool is_cert_file = is_file(ssl_cafile);
 
     if(!is_cert_file) {
       failf(data, "SSL: can't load CA certificate file %s", ssl_cafile);
       return CURLE_SSL_CACERT_BADFILE;
     }
-    if(!verifypeer) {
-      failf(data, "SSL: CA certificate set, but certificate verification "
-            "is disabled");
-      return CURLE_SSL_CONNECT_ERROR;
-    }
   }
 
   /* Configure hostname check. SNI is used if available.
@@ -1929,7 +1924,7 @@ darwinssl_connect_step2(struct connectdata *conn, int sockindex)
       /* The below is errSSLServerAuthCompleted; it's not defined in
         Leopard's headers */
       case -9841:
-        if(SSL_CONN_CONFIG(CAfile)) {
+        if(SSL_CONN_CONFIG(CAfile) && SSL_CONN_CONFIG(verifypeer)) {
           int res = verify_cert(SSL_CONN_CONFIG(CAfile), data,
                                 connssl->ssl_ctx);
           if(res != CURLE_OK)
author	Nick Zitzmann <nickzman@gmail.com>	2017-01-03 17:44:57 -0600
committer	Nick Zitzmann <nickzman@gmail.com>	2017-01-03 17:44:57 -0600
commit	ffbb0f0d37c3969eb59c2fb78ca8297e319960fa (patch)
tree	b2aee2b225d680b6168b11c6d9e4178cbaa997ca /lib/vtls/darwinssl.c
parent	4f2239c5cad235df5dec767b55767b47d0c7e561 (diff)