aboutsummaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorPatrick Monnerat <patrick.monnerat@dh.com>2016-02-08 14:52:18 +0100
committerPatrick Monnerat <patrick.monnerat@dh.com>2016-02-08 14:52:18 +0100
commitc4303fd5bb26c54a90a8e1ab4380f615995dd0c6 (patch)
tree56e18e7af6ea609191edd7bb189c74377f01be68 /lib
parent8893a45e7664b596e62b04b4d7260641cf1769df (diff)
parente49ab0a3b8891988de54b2af1e79ad89a9be04e5 (diff)
Merge branch 'master' of github.com:curl/curl
Diffstat (limited to 'lib')
-rw-r--r--lib/vtls/gtls.c10
-rw-r--r--lib/vtls/openssl.c7
2 files changed, 16 insertions, 1 deletions
diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
index a9702c4a4..2c7eb1729 100644
--- a/lib/vtls/gtls.c
+++ b/lib/vtls/gtls.c
@@ -5,7 +5,7 @@
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
- * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
@@ -487,6 +487,14 @@ gtls_connect_step1(struct connectdata *conn,
}
#endif
+#ifdef CURL_CA_FALLBACK
+ /* use system ca certificate store as fallback */
+ if(data->set.ssl.verifypeer &&
+ !(data->set.ssl.CAfile || data->set.ssl.CApath)) {
+ gnutls_certificate_set_x509_system_trust(conn->ssl[sockindex].cred);
+ }
+#endif
+
if(data->set.ssl.CRLfile) {
/* set the CRL list file */
rc = gnutls_certificate_set_x509_crl_file(conn->ssl[sockindex].cred,
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 70cfb84af..b36c6a611 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -1960,6 +1960,13 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
data->set.str[STRING_SSL_CAPATH] ? data->set.str[STRING_SSL_CAPATH]:
"none");
}
+#ifdef CURL_CA_FALLBACK
+ else if(data->set.ssl.verifypeer) {
+ /* verfying the peer without any CA certificates won't
+ work so use openssl's built in default as fallback */
+ SSL_CTX_set_default_verify_paths(connssl->ctx);
+ }
+#endif
if(data->set.str[STRING_SSL_CRLFILE]) {
/* tell SSL where to find CRL file that is used to check certificate