aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--CHANGES5
-rw-r--r--RELEASE-NOTES2
-rw-r--r--lib/nss.c17
3 files changed, 17 insertions, 7 deletions
diff --git a/CHANGES b/CHANGES
index 586a1ecdb..cd775a095 100644
--- a/CHANGES
+++ b/CHANGES
@@ -6,6 +6,11 @@
Changelog
+Daniel S (25 October 2007)
+- Made libcurl built with NSS possible to ignore the peer verification.
+ Previously it would fail if the ca bundle wasn't present, even if the code
+ ignored the verification results.
+
Patrick M (25 October 2007)
- Fixed test server to allow null bytes in binary posts.
_ Added tests 35, 544 & 545 to check binary data posts, both static (in place)
diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 962bff7d7..69cac11bd 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -45,6 +45,8 @@ This release includes the following bugfixes:
over a HTTP proxy
o embed the manifest in VC8 builds
o use valgrind in the tests even when the lib is built shared with libtool
+ o libcurl built with NSS can now ignore the peer verification even whjen the
+ ca cert bundle is absent
This release includes the following known bugs:
diff --git a/lib/nss.c b/lib/nss.c
index 8429ed885..52a25def3 100644
--- a/lib/nss.c
+++ b/lib/nss.c
@@ -909,9 +909,12 @@ CURLcode Curl_nss_connect(struct connectdata * conn, int sockindex)
NULL) != SECSuccess)
goto error;
- if (data->set.ssl.CAfile) {
- rv = nss_load_cert(data->set.ssl.CAfile, PR_TRUE);
- if (!rv) {
+ if(!data->set.ssl.verifypeer)
+ /* skip the verifying of the peer */
+ ;
+ else if (data->set.ssl.CAfile) {
+ int rc = nss_load_cert(data->set.ssl.CAfile, PR_TRUE);
+ if (!rc) {
curlerr = CURLE_SSL_CACERT_BADFILE;
goto error;
}
@@ -954,8 +957,8 @@ CURLcode Curl_nss_connect(struct connectdata * conn, int sockindex)
data->set.ssl.CApath ? data->set.ssl.CApath : "none");
if(data->set.str[STRING_CERT]) {
- char * n;
- char * nickname;
+ char *n;
+ char *nickname;
nickname = (char *)malloc(PATH_MAX);
if(is_file(data->set.str[STRING_CERT])) {
@@ -973,7 +976,7 @@ CURLcode Curl_nss_connect(struct connectdata * conn, int sockindex)
goto error;
}
if (!cert_stuff(conn, data->set.str[STRING_CERT],
- data->set.str[STRING_KEY])) {
+ data->set.str[STRING_KEY])) {
/* failf() is already done in cert_stuff() */
free(nickname);
return CURLE_SSL_CERTPROBLEM;
@@ -983,7 +986,7 @@ CURLcode Curl_nss_connect(struct connectdata * conn, int sockindex)
if(SSL_GetClientAuthDataHook(model,
(SSLGetClientAuthData) SelectClientCert,
(void *)connssl->client_nickname) !=
- SECSuccess) {
+ SECSuccess) {
curlerr = CURLE_SSL_CERTPROBLEM;
goto error;
}