From 7b55279d1d856c9ef19d942c2672a3d616254452 Mon Sep 17 00:00:00 2001 From: Ludwig Nussel Date: Tue, 24 Mar 2015 13:25:17 +0100 Subject: configure: --with-ca-fallback: use built-in TLS CA fallback When trying to verify a peer without having any root CA certificates set, this makes libcurl use the TLS library's built in default as fallback. Closes #569 --- lib/vtls/openssl.c | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'lib/vtls/openssl.c') diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index 70cfb84af..b36c6a611 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -1960,6 +1960,13 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) data->set.str[STRING_SSL_CAPATH] ? data->set.str[STRING_SSL_CAPATH]: "none"); } +#ifdef CURL_CA_FALLBACK + else if(data->set.ssl.verifypeer) { + /* verfying the peer without any CA certificates won't + work so use openssl's built in default as fallback */ + SSL_CTX_set_default_verify_paths(connssl->ctx); + } +#endif if(data->set.str[STRING_SSL_CRLFILE]) { /* tell SSL where to find CRL file that is used to check certificate -- cgit v1.2.3