From ffbb0f0d37c3969eb59c2fb78ca8297e319960fa Mon Sep 17 00:00:00 2001 From: Nick Zitzmann Date: Tue, 3 Jan 2017 17:44:57 -0600 Subject: darwinssl: --insecure overrides --cacert if both settings are in use Fixes #1184 --- lib/vtls/darwinssl.c | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) (limited to 'lib/vtls/darwinssl.c') diff --git a/lib/vtls/darwinssl.c b/lib/vtls/darwinssl.c index 66d872708..7066281fe 100644 --- a/lib/vtls/darwinssl.c +++ b/lib/vtls/darwinssl.c @@ -1393,18 +1393,13 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn, } #endif /* CURL_BUILD_MAC_10_6 || CURL_BUILD_IOS */ - if(ssl_cafile) { + if(ssl_cafile && verifypeer) { bool is_cert_file = is_file(ssl_cafile); if(!is_cert_file) { failf(data, "SSL: can't load CA certificate file %s", ssl_cafile); return CURLE_SSL_CACERT_BADFILE; } - if(!verifypeer) { - failf(data, "SSL: CA certificate set, but certificate verification " - "is disabled"); - return CURLE_SSL_CONNECT_ERROR; - } } /* Configure hostname check. SNI is used if available. @@ -1929,7 +1924,7 @@ darwinssl_connect_step2(struct connectdata *conn, int sockindex) /* The below is errSSLServerAuthCompleted; it's not defined in Leopard's headers */ case -9841: - if(SSL_CONN_CONFIG(CAfile)) { + if(SSL_CONN_CONFIG(CAfile) && SSL_CONN_CONFIG(verifypeer)) { int res = verify_cert(SSL_CONN_CONFIG(CAfile), data, connssl->ssl_ctx); if(res != CURLE_OK) -- cgit v1.2.3