Revert "openssl: Don't add verify locations when verifypeer==0"
This reverts commit dc85437736
.
libcurl (with the OpenSSL backend) performs server certificate verification
even if verifypeer == 0 and the verification result is available using
CURLINFO_SSL_VERIFYRESULT. The commit that is being reverted caused the
CURLINFO_SSL_VERIFYRESULT to not have useful information for the
verifypeer == 0 use case (it would always have
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY).
Closes #2451
This commit is contained in:
Родитель
336b6a32c0
Коммит
2536e2450b
|
@ -2349,11 +2349,10 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
|
|||
#endif
|
||||
|
||||
if(ssl_cafile || ssl_capath) {
|
||||
if(verifypeer) {
|
||||
/* tell SSL where to find CA certificates that are used to verify
|
||||
the servers certificate. */
|
||||
if(!SSL_CTX_load_verify_locations(BACKEND->ctx,
|
||||
ssl_cafile, ssl_capath)) {
|
||||
/* tell SSL where to find CA certificates that are used to verify
|
||||
the servers certificate. */
|
||||
if(!SSL_CTX_load_verify_locations(BACKEND->ctx, ssl_cafile, ssl_capath)) {
|
||||
if(verifypeer) {
|
||||
/* Fail if we insist on successfully verifying the server. */
|
||||
failf(data, "error setting certificate verify locations:\n"
|
||||
" CAfile: %s\n CApath: %s",
|
||||
|
@ -2361,18 +2360,20 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
|
|||
ssl_capath ? ssl_capath : "none");
|
||||
return CURLE_SSL_CACERT_BADFILE;
|
||||
}
|
||||
else {
|
||||
/* Everything is fine. */
|
||||
infof(data, "successfully set certificate verify locations:\n"
|
||||
" CAfile: %s\n CApath: %s\n",
|
||||
ssl_cafile ? ssl_cafile : "none",
|
||||
ssl_capath ? ssl_capath : "none");
|
||||
}
|
||||
/* Just continue with a warning if no strict certificate verification
|
||||
is required. */
|
||||
infof(data, "error setting certificate verify locations,"
|
||||
" continuing anyway:\n");
|
||||
}
|
||||
else {
|
||||
infof(data, "ignoring certificate verify locations due to "
|
||||
"disabled peer verification\n");
|
||||
/* Everything is fine. */
|
||||
infof(data, "successfully set certificate verify locations:\n");
|
||||
}
|
||||
infof(data,
|
||||
" CAfile: %s\n"
|
||||
" CApath: %s\n",
|
||||
ssl_cafile ? ssl_cafile : "none",
|
||||
ssl_capath ? ssl_capath : "none");
|
||||
}
|
||||
#ifdef CURL_CA_FALLBACK
|
||||
else if(verifypeer) {
|
||||
|
|
Загрузка…
Ссылка в новой задаче