[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[GNUnet-SVN] [gnurl] 51/178: Revert "openssl: Don't add verify locations
|
From: |
gnunet |
|
Subject: |
[GNUnet-SVN] [gnurl] 51/178: Revert "openssl: Don't add verify locations when verifypeer==0" |
|
Date: |
Wed, 23 May 2018 12:24:46 +0200 |
This is an automated email from the git hooks/post-receive script.
ng0 pushed a commit to branch master
in repository gnurl.
commit 2536e2450b4b0364d83c315ad2ee01b67f514db0
Author: Gaurav Malhotra <address@hidden>
AuthorDate: Tue Apr 3 18:11:27 2018 +0530
Revert "openssl: Don't add verify locations when verifypeer==0"
This reverts commit dc85437736e1fc90e689bb1f6c51c8f1aa9430eb.
libcurl (with the OpenSSL backend) performs server certificate verification
even if verifypeer == 0 and the verification result is available using
CURLINFO_SSL_VERIFYRESULT. The commit that is being reverted caused the
CURLINFO_SSL_VERIFYRESULT to not have useful information for the
verifypeer == 0 use case (it would always have
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY).
Closes #2451
---
lib/vtls/openssl.c | 31 ++++++++++++++++---------------
1 file changed, 16 insertions(+), 15 deletions(-)
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 205d303ed..cbd89cbe4 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -2349,11 +2349,10 @@ static CURLcode ossl_connect_step1(struct connectdata
*conn, int sockindex)
#endif
if(ssl_cafile || ssl_capath) {
- if(verifypeer) {
- /* tell SSL where to find CA certificates that are used to verify
- the servers certificate. */
- if(!SSL_CTX_load_verify_locations(BACKEND->ctx,
- ssl_cafile, ssl_capath)) {
+ /* tell SSL where to find CA certificates that are used to verify
+ the servers certificate. */
+ if(!SSL_CTX_load_verify_locations(BACKEND->ctx, ssl_cafile, ssl_capath)) {
+ if(verifypeer) {
/* Fail if we insist on successfully verifying the server. */
failf(data, "error setting certificate verify locations:\n"
" CAfile: %s\n CApath: %s",
@@ -2361,18 +2360,20 @@ static CURLcode ossl_connect_step1(struct connectdata
*conn, int sockindex)
ssl_capath ? ssl_capath : "none");
return CURLE_SSL_CACERT_BADFILE;
}
- else {
- /* Everything is fine. */
- infof(data, "successfully set certificate verify locations:\n"
- " CAfile: %s\n CApath: %s\n",
- ssl_cafile ? ssl_cafile : "none",
- ssl_capath ? ssl_capath : "none");
- }
+ /* Just continue with a warning if no strict certificate verification
+ is required. */
+ infof(data, "error setting certificate verify locations,"
+ " continuing anyway:\n");
}
else {
- infof(data, "ignoring certificate verify locations due to "
- "disabled peer verification\n");
- }
+ /* Everything is fine. */
+ infof(data, "successfully set certificate verify locations:\n");
+ }
+ infof(data,
+ " CAfile: %s\n"
+ " CApath: %s\n",
+ ssl_cafile ? ssl_cafile : "none",
+ ssl_capath ? ssl_capath : "none");
}
#ifdef CURL_CA_FALLBACK
else if(verifypeer) {
--
To stop receiving notification emails like this one, please contact
address@hidden
- [GNUnet-SVN] [gnurl] 54/178: build-openssl.bat: allow custom paths for VS and perl, (continued)
- [GNUnet-SVN] [gnurl] 54/178: build-openssl.bat: allow custom paths for VS and perl, gnunet, 2018/05/23
- [GNUnet-SVN] [gnurl] 50/178: tls: fix mbedTLS 2.7.0 build + handle sha256 failures, gnunet, 2018/05/23
- [GNUnet-SVN] [gnurl] 52/178: file: restore old behavior for file:////foo/bar URLs, gnunet, 2018/05/23
- [GNUnet-SVN] [gnurl] 69/178: travis: use trusty for coverage build, gnunet, 2018/05/23
- [GNUnet-SVN] [gnurl] 70/178: travis: bump to clang 6 and gcc 7, gnunet, 2018/05/23
- [GNUnet-SVN] [gnurl] 85/178: README.md: add backers and sponsors, gnunet, 2018/05/23
- [GNUnet-SVN] [gnurl] 55/178: winbuild: make the clean target work without build-type, gnunet, 2018/05/23
- [GNUnet-SVN] [gnurl] 44/178: cookies: when reading from a file, only remove_expired once, gnunet, 2018/05/23
- [GNUnet-SVN] [gnurl] 68/178: lib: silence null-dereference warnings, gnunet, 2018/05/23
- [GNUnet-SVN] [gnurl] 48/178: cookie: fix and optimize 2nd top level domain name extraction, gnunet, 2018/05/23
- [GNUnet-SVN] [gnurl] 51/178: Revert "openssl: Don't add verify locations when verifypeer==0",
gnunet <=
- [GNUnet-SVN] [gnurl] 73/178: mailmap: add a monnerat fixup [ci skip], gnunet, 2018/05/23
- [GNUnet-SVN] [gnurl] 64/178: build: cleanup to fix clang warnings/errors, gnunet, 2018/05/23
- [GNUnet-SVN] [gnurl] 56/178: build-openssl.bat: Refer to VS2017 as VC14.1 instead of VC15, gnunet, 2018/05/23
- [GNUnet-SVN] [gnurl] 116/178: strcpy_url: only %-encode values >= 0x80, gnunet, 2018/05/23
- [GNUnet-SVN] [gnurl] 105/178: curl_global_sslset: always provide available backends, gnunet, 2018/05/23
- [GNUnet-SVN] [gnurl] 86/178: winbuild: Support custom devel paths for each dependency, gnunet, 2018/05/23
- [GNUnet-SVN] [gnurl] 100/178: Revert "ftplistparser: keep state between invokes", gnunet, 2018/05/23
- [GNUnet-SVN] [gnurl] 103/178: curl.1: clarify that options and URLs can be mixed, gnunet, 2018/05/23
- [GNUnet-SVN] [gnurl] 119/178: RELEASE-NOTES: synced, gnunet, 2018/05/23
- [GNUnet-SVN] [gnurl] 114/178: ctype: restore character classification for non-ASCII platforms, gnunet, 2018/05/23