diff options
author | Jay Satiro <raysatiro@yahoo.com> | 2016-01-18 03:48:10 -0500 |
---|---|---|
committer | Jay Satiro <raysatiro@yahoo.com> | 2016-01-18 03:48:10 -0500 |
commit | d58ba66eeceb5a290ecd50f596606a7f77d68b4b (patch) | |
tree | d9d56a027821f1e3d7dc8c77ad6a05b282a4adb7 /src/tool_easysrc.h | |
parent | d56637113092ebc6721601812510ef5e3e5126e4 (diff) |
mbedtls: Fix pinned key return value on fail
- Switch from verifying a pinned public key in a callback during the
certificate verification to inline after the certificate verification.
The callback method had three problems:
1. If a pinned public key didn't match, CURLE_SSL_PINNEDPUBKEYNOTMATCH
was not returned.
2. If peer certificate verification was disabled the pinned key
verification did not take place as it should.
3. (related to #2) If there was no certificate of depth 0 the callback
would not have checked the pinned public key.
Though all those problems could have been fixed it would have made the
code more complex. Instead we now verify inline after the certificate
verification in mbedtls_connect_step2.
Ref: http://curl.haxx.se/mail/lib-2016-01/0047.html
Ref: https://github.com/bagder/curl/pull/601
Diffstat (limited to 'src/tool_easysrc.h')
0 files changed, 0 insertions, 0 deletions