3 files changed, 25 insertions, 7 deletions

diff --git a/lib/ftp.c b/lib/ftp.c
index 11378b909..05d936c79 100644
--- a/lib/ftp.c
+++ b/lib/ftp.c
@@ -711,8 +711,7 @@ CURLcode ftp_cwd(struct connectdata *conn, char *path)
   CURLcode result;
   
   FTPSENDF(conn, "CWD %s", path);
-  nread = Curl_GetFTPResponse(
-                              conn->data->state.buffer, conn, &ftpcode);
+  nread = Curl_GetFTPResponse(conn->data->state.buffer, conn, &ftpcode);
   if (nread < 0)
     return CURLE_OPERATION_TIMEOUTED;
 
diff --git a/lib/url.c b/lib/url.c
index 4fa601f7c..43a7e400b 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -1004,10 +1004,11 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option, ...)
     break;
   case CURLOPT_CAPATH:
     /*
-     * Set CA path info  for SSL connection. Specify directory name of the CA certificates
-     * which have been prepared using openssl c_rehash utility.
+     * Set CA path info for SSL connection. Specify directory name of the CA
+     * certificates which have been prepared using openssl c_rehash utility.
      */
-    data->set.ssl.CApath = va_arg(param, char *); /*This does not work on windows.*/
+    /* This does not work on windows. */
+    data->set.ssl.CApath = va_arg(param, char *);
     break;
   case CURLOPT_TELNETOPTIONS:
     /*
@@ -1048,6 +1049,10 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option, ...)
     }
     break;
 
+  case CURLOPT_SSL_INSECURE:
+    data->set.ssl.allow_insecure = va_arg(param, long)?TRUE:FALSE;
+    break;
+
   default:
     /* unknown tag and its companion, just ignore: */
     return CURLE_FAILED_INIT; /* correct this */
@@ -2035,6 +2040,17 @@ static CURLcode CreateConnection(struct SessionHandle *data,
     return CURLE_UNSUPPORTED_PROTOCOL;
   }
 
+  if(conn->protocol & PROT_SSL) {
+    /* If SSL is requested, require security level info */
+
+    if(!data->set.ssl.allow_insecure &&
+       !(data->set.ssl.CAfile || data->set.ssl.CApath)) {
+      failf(data, "Insecure SSL connect attempted without explicit permission granted");
+      return CURLE_SSL_INSECURE;
+    }
+  }
+
+
   /*************************************************************
    * Figure out the remote port number
    *
diff --git a/lib/urldata.h b/lib/urldata.h
index 0d4a11a8b..ce15dbf9f 100644
--- a/lib/urldata.h
+++ b/lib/urldata.h
@@ -136,14 +136,17 @@ struct ssl_config_data {
   long version;          /* what version the client wants to use */
   long certverifyresult; /* result from the certificate verification */
   long verifypeer;       /* set TRUE if this is desired */
-  long verifyhost;       /* 0: no verif, 1: check that CN exists, 2: CN must match hostname */
+  long verifyhost;       /* 0: no verify
+                            1: check that CN exists
+                            2: CN must match hostname */
   char *CApath;          /* DOES NOT WORK ON WINDOWS */
   char *CAfile;          /* cerficate to verify peer against */
   char *random_file;     /* path to file containing "random" data */
   char *egdsocket;       /* path to file containing the EGD daemon socket */
   char *cipher_list;     /* list of ciphers to use */
+  bool allow_insecure;   /* allow connects without any CA certificate */
 
-  long numsessions;                 /* SSL session id cache size */
+  long numsessions;      /* SSL session id cache size */
 };
 
 /****************************************************************************