aboutsummaryrefslogtreecommitdiff
path: root/lib/vtls
diff options
context:
space:
mode:
authorPatrick Schlangen <patrick@schlangen.me>2018-02-05 17:17:15 +0100
committerDaniel Stenberg <daniel@haxx.se>2018-02-06 10:48:03 +0100
commitdc85437736e1fc90e689bb1f6c51c8f1aa9430eb (patch)
treea6c372562caab12ba4f830c222b34ffea565b75c /lib/vtls
parent05484d48311b47c1fcc9a360266f53723ddf7300 (diff)
openssl: Don't add verify locations when verifypeer==0
When peer verification is disabled, calling SSL_CTX_load_verify_locations is not necessary. Only call it when verification is enabled to save resources and increase performance. Closes #2290
Diffstat (limited to 'lib/vtls')
-rw-r--r--lib/vtls/openssl.c31
1 files changed, 15 insertions, 16 deletions
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 0d7baca8b..2a6b3cfac 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -2338,10 +2338,11 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
#endif
if(ssl_cafile || ssl_capath) {
- /* tell SSL where to find CA certificates that are used to verify
- the servers certificate. */
- if(!SSL_CTX_load_verify_locations(BACKEND->ctx, ssl_cafile, ssl_capath)) {
- if(verifypeer) {
+ if(verifypeer) {
+ /* tell SSL where to find CA certificates that are used to verify
+ the servers certificate. */
+ if(!SSL_CTX_load_verify_locations(BACKEND->ctx,
+ ssl_cafile, ssl_capath)) {
/* Fail if we insist on successfully verifying the server. */
failf(data, "error setting certificate verify locations:\n"
" CAfile: %s\n CApath: %s",
@@ -2349,20 +2350,18 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
ssl_capath ? ssl_capath : "none");
return CURLE_SSL_CACERT_BADFILE;
}
- /* Just continue with a warning if no strict certificate verification
- is required. */
- infof(data, "error setting certificate verify locations,"
- " continuing anyway:\n");
+ else {
+ /* Everything is fine. */
+ infof(data, "successfully set certificate verify locations:\n"
+ " CAfile: %s\n CApath: %s\n",
+ ssl_cafile ? ssl_cafile : "none",
+ ssl_capath ? ssl_capath : "none");
+ }
}
else {
- /* Everything is fine. */
- infof(data, "successfully set certificate verify locations:\n");
- }
- infof(data,
- " CAfile: %s\n"
- " CApath: %s\n",
- ssl_cafile ? ssl_cafile : "none",
- ssl_capath ? ssl_capath : "none");
+ infof(data, "ignoring certificate verify locations due to "
+ "disabled peer verification\n");
+ }
}
#ifdef CURL_CA_FALLBACK
else if(verifypeer) {