diff options
| -rw-r--r-- | CHANGES | 7 | ||||
| -rw-r--r-- | RELEASE-NOTES | 2 | ||||
| -rw-r--r-- | lib/gtls.c | 46 |
3 files changed, 34 insertions, 21 deletions
@@ -7,6 +7,13 @@ Changelog Daniel S (15 Feb 2008) +- Made the gnutls code path not even try to get the server cert if no peer + verification is requested. Previously it would even return failure if gnutls + failed to get the server cert even though no verification was asked for. + Public server showing the problem: https://www.net222.caisse-epargne.fr + +- Fix my Curl_timeleft() leftover mistake in the gnutls code + - Pooyan McSporran found and fixed a flaw where you first would do a normal http request and then you'd reuse the handle and replace the Accept: header, as then libcurl would send two Accept: headers! diff --git a/RELEASE-NOTES b/RELEASE-NOTES index f2784b787..9f373eb0f 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -20,6 +20,8 @@ This release includes the following bugfixes: o GnuTLS-built libcurl failed when doing global cleanup and reinit o error message problem when unable to resolve a host on Windows o Accept: header replacing + o not verificating server certs with gnutls still failed if gnutls had problems + with the cert This release includes the following known bugs: diff --git a/lib/gtls.c b/lib/gtls.c index 01ea303bb..4152ded26 100644 --- a/lib/gtls.c +++ b/lib/gtls.c @@ -156,7 +156,7 @@ static CURLcode handshake(struct connectdata *conn, rc = gnutls_handshake(session); if((rc == GNUTLS_E_AGAIN) || (rc == GNUTLS_E_INTERRUPTED)) { - long timeout_ms = Curl_connecttimeleft(conn, NULL, duringconnect); + long timeout_ms = Curl_timeleft(conn, NULL, duringconnect); if(timeout_ms < 0) { /* a precaution, no need to continue if time already is up */ @@ -336,38 +336,42 @@ Curl_gtls_connect(struct connectdata *conn, chainp = gnutls_certificate_get_peers(session, &cert_list_size); if(!chainp) { - if(data->set.ssl.verifyhost) { + if(data->set.ssl.verifypeer) { failf(data, "failed to get server cert"); return CURLE_PEER_FAILED_VERIFICATION; } infof(data, "\t common name: WARNING couldn't obtain\n"); } - /* This function will try to verify the peer's certificate and return its - status (trusted, invalid etc.). The value of status should be one or more - of the gnutls_certificate_status_t enumerated elements bitwise or'd. To - avoid denial of service attacks some default upper limits regarding the - certificate key size and chain size are set. To override them use - gnutls_certificate_set_verify_limits(). */ + if(data->set.ssl.verifypeer) { + /* This function will try to verify the peer's certificate and return its + status (trusted, invalid etc.). The value of status should be one or + more of the gnutls_certificate_status_t enumerated elements bitwise + or'd. To avoid denial of service attacks some default upper limits + regarding the certificate key size and chain size are set. To override + them use gnutls_certificate_set_verify_limits(). */ - rc = gnutls_certificate_verify_peers2(session, &verify_status); - if(rc < 0) { - failf(data, "server cert verify failed: %d", rc); - return CURLE_SSL_CONNECT_ERROR; - } + rc = gnutls_certificate_verify_peers2(session, &verify_status); + if(rc < 0) { + failf(data, "server cert verify failed: %d", rc); + return CURLE_SSL_CONNECT_ERROR; + } - /* verify_status is a bitmask of gnutls_certificate_status bits */ - if(verify_status & GNUTLS_CERT_INVALID) { - if(data->set.ssl.verifypeer) { - failf(data, "server certificate verification failed. CAfile: %s", - data->set.ssl.CAfile?data->set.ssl.CAfile:"none"); - return CURLE_SSL_CACERT; + /* verify_status is a bitmask of gnutls_certificate_status bits */ + if(verify_status & GNUTLS_CERT_INVALID) { + if(data->set.ssl.verifypeer) { + failf(data, "server certificate verification failed. CAfile: %s", + data->set.ssl.CAfile?data->set.ssl.CAfile:"none"); + return CURLE_SSL_CACERT; + } + else + infof(data, "\t server certificate verification FAILED\n"); } else - infof(data, "\t server certificate verification FAILED\n"); + infof(data, "\t server certificate verification OK\n"); } else - infof(data, "\t server certificate verification OK\n"); + infof(data, "\t server certificate verification SKIPPED\n"); /* initialize an X.509 certificate structure. */ gnutls_x509_crt_init(&x509_cert); |